>Why didn't I even try, you say? Past experiences of numerous researchers >aside, consider this: Microsoft takes 3-6 months to fix critical but >non-public vulnerabilities in their flagship software (some of these flaws >must've been independently discovered by the rogues, hence putting >customers at great risk, or at best taking chances). This is not a >reasonable timeframe, compared to industry averages. Yet, they only take >2-4 weeks to fix publicly disclosed bugs - thus making software safer, >sooner.
Nice of you to make that risk assessment for the entire IA community. Thanks. >You're making an argument for no disclosure and no accountability... >...by saying that it sucks for infosec workers to have to do some actual >work, rush workarounds, write IDS signatures - based not on guesses, >but on useful information... >...and you're making this argument On a full disclosure mailing list. >Bravo. I have made no such arguments. My argument is that a responsible researcher should give the vendor a chance to respond. If they don't within a reasonable amount time, publish the vulnerability and document the vendor's lack of response. Further, releasing a zero-day vulnerability without giving a vendor any chance to respond does more harm than good. That's my argument. Sorry to crash the party here, but you guys aren't going to be able release zero-day exploits without getting some flak from the folks who have to respond to them. Free speech goes both ways, you know. I'd say we're at a point of agreement on disagreeing at this point. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
