Steven M. Christey wrote: > A FAQ is at: > > http://www.oisafety.org/about.html > > > The FAQ should be of high interest to anybody who does vulnerability > research.
Particularly if they are connoisseurs of bullshit: "Does OIS support pre-disclosure of vulnerability information to select groups? No. We believe the software author should be given a chance to create a fix before vulnerability information is made public, but that there should be no further distribution of that information until the fix is complete. This priniciple can be very difficult to adhere to in certain situations, such as dealing with the open source community where there aren't protections to keep vulnerability information secret." Yeah, right! Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
