> However, it's highly surprising that the Apache developers call the > iDefense approach "reasonable disclosure". Is it reasonable to > disclose critical information on new security vulnerabilities to > potential but paying blackhats *on* *the* *same* *day* *the* *vendors* > *are* *notified*?
I think what the apache developers might be saying may sound something closer to ' I/We think that this type of disclosure is more realistic' ( Assuming that their was a blackhat that developed the hack and it had been 0day for a while with that particular blackhat/or blackhatters....) -Dan > -- > Florian Weimer [EMAIL PROTECTED] > University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ > RUS-CERT fax +49-711-685-5898 > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ------------------------------------ http://www.birmingham-infragard.org p. 205.328.4200 emerg. 877.806.8928 Esse quam videra (to be, rather than to appear) ----------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
