| Seems to me like a thinly vieled marketing announcment. Worked, too.
|
| I don't notice anything _too_ radically seperated from well known
| vulnerability disclosure methods, with the singular exception that
| they do not make accomodations for a responsive vendor who has not
| yet released a patch, which is on contrast to the RFPolicy, a well
| known disclosure roadmap, and the referenced Christey-Wysopal policy.
|
| I read it as "Buy our scanner and you'll have access to
vulnerabilities
| others don't yet have".
|
> >
> >I couldn't agree more. I personally see it as a ploy touting the
> >fact that their purchasable product will now and then be able to
> >look for some vulnerabilities that other products wont be able to.
>
> And this is wrong how? If David can protect his customers on a pro-active
> basis and allow them assess their own risk I can't see how you find fault
> in it.
>
My original point was not that this is wrong or right. I wasn't
trying to make any value judgments on the merit of this process,
but instead on the overall technical value of the announcement.
It is rather like my announcement that I my name is Drew Simonis,
but I've decided to spell it "Drew simonis". (note the lowercase!)
I hardly think this would start a rollicking discussion or new group
in alt.genealogy.surnames.*
In short, there is nothing of value in the announcement. They are
telling us that they are going to follow well known disclosure policies.
Isn't that a given for a respectable company? This is why I
characterized the announcement as a marketing ploy... for the lack of
content, not the value of the content.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
