On Tue, 2003-07-01 at 20:18, [EMAIL PROTECTED] wrote: > As for the criticism on Microsoft's blasting researchers who poorly handle > security vulnerabilities, most of it is not valid.
If MS had a better means of reporting the problem, or handling bug reports, I'd be more sympathetic. My only experience with MS bug reporting was this known bug with IE: if you configure your web server to negotiate delivery of compressed content, IE will tell the server that it accepts a compressed PDF. It will then hand off the compressed data stream to acrobat reader, aparently without decopmresssing or letting acrobat know the content should be decompressed. About a year ago, I tripped over this issue. (I have since found out it is a known bug - see http://www.sitepoint.com/print/1029). In an effort to help MS, I spent hours of company time registering to various bug reporting services on MS sites - and never found one that would accept my bug report because IE is not a paid product. Not that I wanted any support - I only wanted to help them out. In the end, I emailed [EMAIL PROTECTED] or some such valid email address. A year later, I am still waiting for a response from MS. No email was bounced, and there was not even an autoresponder. I have not tried the experiment recently, but this issue still is not in their knowlege base, and I still have no reply. If this is the experience of the typical security researcher, it seems to me that radical full disclosure is a reasonable response - if the vendor will not provide the tools for the users to protect themselves, then the users must band together for self preservation. OOTH, if vendors do respond, then radical full disclosure seems to me unwarranted, and a source of increased risk. For instance, every bug I have reported to PostgreSQL, Red Hat. Mozilla.org, and Ximian [Evolution] has been acknowleged and fixed - always within a few months, usually within days. It's like any relationship -- the way you are treated reflects the trust you have earned. Matt, you make some valid points. But ISTM they hinge on MS being responsive to bug reports. In my limited experience, they are not. -- Karl DeBisschop <[EMAIL PROTECTED]> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
