> Nice stance, but complete off target. Currently, Microsoft releases > the most detailed advisories, in a consistent format, with extensive > information about possible workarounds etc.
Microsoft's initial notification for the dcom exploit suggested blocking port 135 as a possible workaround even though they were completely aware it was a dcom issue which was available via multiple ports. Only after details were released to the security community was it discovered this information was incorrect. I've seen countless times where the security community got details of a flaw and used that information to uncover further issues. It is unreasonable to expect whoever a vendor assigns to investigate a flaw is going to do as thorough a job as the entire security community will if given the details. Geo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
