On 2/28/07, Gary McGraw <[EMAIL PROTECTED]> wrote:
Hi all, The neverending debate over disclosure continued at RSA this year with a panel featuring Chris Wysopl and others rehashing old ground. There are points on both sides, with radicals on one side (say marcus ranum) calling the disclosure people "vulnerability pimps" and radicals on the other saying that computer security would make no progress at all without disclosure. I've always sought some kind of middle ground when it comes to disclosure. The idea is to minimize risk to users of the broken system while at the samne time learning something about security and making sure the system gets fixed.
I think havning extremists is a good thing. Forces people to re-evaluate their position and actually do things, instead of having a disucssion about it. Without that there would be middle grounders sitting around wondering about the best approach. With the extremists these middlegrounders have to react, or at least companies do. Which is only good. Disclosure is the subject of my latest Darkreading column:
http://www.darkreading.com/document.asp?doc_id=118174 What do you think? Should we talk about exploits? Should we out vendors? Is there a line to be drawn anywhere?
I think if you find an exploit do what you personally want. If I had time to research them, I'd probably be pimping them out for as much as I could; why not? I can decide. I found it. Same to you, with what you found. The only line will come if some authority in some country makes it illegal to sell them. And obviously there would be incredible difficulties in isolating that, IMHO. gem
company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com
-- mike (s1, s2, s3) ;
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________