Steve Friedl wrote:
On Wed, Apr 13, 2005 at 10:54:34AM -0400, bkfsec wrote:I agree with you. I wasn't implying that people shouldn't work with MSFT on disclosures, rather that their attitude had not changed nearly as much as some people seem to think it has.
It doesn't matter how much honey is poured into people's ears (or smoke blown up their asses, if you will), it's the proof that's in the pudding that counts, and the pudding is sour.
Even if you decide, for the sake of discussion, that Microsoft sucks, there is still a good reason to work with MSFT on disclosure: the users.
There's also a big difference between should and must. Security researchers should work with vendors to get solutions out responsibly, including Microsoft, but they should not be restricted from publishing their findings if a vendor just wants to sweep things under a rug.
-Barry
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
