Hi Brandon, > I always assume if I have > found a vulnerability, someone else has found it as well.
Yes, you should. For those out there who don't routinely find vulnerabilities, it is hard for them to understand that these issues aren't hard to find if you know what you're looking for. Quite a few bugs I've found in the past have been found by others independently and published before I got around to it. It happens a LOT more than people think. Also, I think companies that sell security software should be held to a higher standard when it comes to fixing bugs. What's the point in buying security "solutions" if those solutions make you more vulnerable? If they currently can't turn around fixes for vulnerabilities quickly, then they can: A. Invest more in their release cycle so new releases can be put out much more quickly. B. Invest more in up-front security testing and Q/A, so they aren't shipping vulnerable code to begin with. C. Do both A and B Preventing these bugs isn't black magic. It isn't rocket surgery. It's just a matter of getting business leaders to care about shipping quality code. tim _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/