Ed Felten and I found out early on (back in 1996) that you can use the
press as a lever to get companies to do the right thing.  We learned
this when releasing the very first Java Security hole.  We found out
that Sun paid much more attention once USA Today picked up the story
from comp.risks.

Later, we could disclose the problems responsibly, keeping a short leash
on Microsoft, Netscape, and Sun without ever resorting to FULL
disclosure.  Our goal was to get the problems fixed with no nonsense.
The companies also allowed the press to be responsibly involved.

We discussed all of the problems we found in our books "Java Security"
and "Securing Java", but without ever releasing code for the exploits. 

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com  

-----Original Message-----
From: Blue Boar [mailto:[EMAIL PROTECTED] 
Sent: Friday, November 03, 2006 12:50 PM
To: Gary McGraw
Cc: SC-L@securecoding.org
Subject: Re: [SC-L] On exploits, hubris, and software security

Gary McGraw wrote:
> The main thing I wonder is, what do you think?  When you have a hot
> demonstration of an exploit, how do you responsibly release it?  What
> role do such demonstrations play in moving software security forward?

To pick one extreme, I believe there are times when intentionally 
blindsiding a vendor is appropriate:
http://ryanlrussell.blogspot.com/2006/11/you-want-mac-wireless-bugs.html

                                        BB



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------

_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Reply via email to