On 2/28/07, Gary McGraw <[EMAIL PROTECTED]> wrote:

Hi all,

The neverending debate over disclosure continued at RSA this year with a
panel featuring Chris Wysopl and others rehashing old ground.  There are
points on both sides, with radicals on one side (say marcus ranum)
calling the disclosure people "vulnerability pimps" and radicals on the
other saying that computer security would make no progress at all
without disclosure.

I've always sought some kind of middle ground when it comes to
disclosure.  The idea is to minimize risk to users of the broken system
while at the samne time learning something about security and making
sure the system gets fixed.

I think havning extremists is a good thing. Forces people to re-evaluate
their position and actually do things, instead of having a disucssion about
it. Without that there would be middle grounders sitting around wondering
about the best approach. With the extremists these middlegrounders have to
react, or at least companies do. Which is only good.

Disclosure is the subject of my latest Darkreading column:

What do you think?  Should we talk about exploits?  Should we out
vendors?  Is there a line to be drawn anywhere?

I think if you find an exploit do what you personally want. If I had time to
research them, I'd probably be pimping them out for as much as I could; why
not? I can decide. I found it. Same to you, with what you found.

The only line will come if some authority in some country makes it illegal
to sell them. And obviously there would be incredible difficulties in
isolating that, IMHO.


company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com

-- mike (s1, s2, s3) ;
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to