> Da: [EMAIL PROTECTED] > > Good points, > One question remains however. If we are to attach > exploit code to our > advisories, how do we protect the innocent from attacks by malicious > people using our exploit code? I honestly believe that exploits are > digital munitions that should be distributed under > restrictions. Do you > agree that a vulnerability can be clearly demonstrated in an > advisory by > showing debugger output and explaining the output? If proof of concept > code needs to be made, it could be generated from the detail in the > advisory. Why is that not a solution?
Sorry, but I think that full disclosure, by definition, is telling something without careing a think about consequences. I'm not telling whether it's right or not, but so it is. If we believe in full disclosure (as i do) we have (silently) accepted that what we're saying can be used in different ways. "full disclosure" != "exploit release", but "exploit release" C "full disclosure" ( C -> belongs to :) By! A. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
