Florian Weimer wrote: > zen-parse <[EMAIL PROTECTED]> writes: > > >>With regards to dealing with iDefense: It's an easier way for me to make >>sure something is disclosed in an appropriate manner than me finding and >>contacting all the people who need to be myself. And it gives me some >>money, which, believe it or not, is useful to have occasionally. > > > IMHO, the iDefense approach is highly questionable. But I won't argue > with you in particular about it. > > However, it's highly surprising that the Apache developers call the > iDefense approach "reasonable disclosure". Is it reasonable to > disclose critical information on new security vulnerabilities to > potential but paying blackhats *on* *the* *same* *day* *the* *vendors* > *are* *notified*?
Umm. Nope. Guess there is a difference between iDefense and CERT after all, then. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
