Based on my general impressions in day-to-day operations for CVE (around
150 new vulns a week on average), maybe 40-60% of disclosures happen
without any apparent attempt at vendor coordination, another 10-20% with a
communication breakdown (including "they didn't answer in 2 days"), and
the rest
On Tue, 6 Mar 2007, Kenneth Van Wyk wrote:
> While a simple strcpy-->strncpy (or similar) src edit takes just
> moments, and shouldn't impact the functionality and reliability of any
> software, patches are rarely that simple.
Agreed, but this needs to change. The threat environment has provabl
Kenneth Van Wyk wrote:
> So, I applaud the public disclosure model from the standpoint of
> consumer advocacy. But, I'm convinced that we need to find a process
> that better balances the needs of the consumer against the secure
> software engineering needs. Some patches can't reasonably be produ
On Mar 5, 2007, at 9:30 PM, Gary McGraw wrote:
I think some vendors have come around to the economics argument. In
every case, those vendors with extreme reputation exposure have
attempted to move past penetrate and patch. Microsoft, for one, is
trying hard, but (to use my broken leg analog
03 2007
To: SC-L@securecoding.org
Cc: Steven M. Christey
Subject:Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?
Though I share Steve's sentiments on the anti-researcher bias, and I
agree with Gary's yin-yang conclusion, I really hate the question itself.
The disclo
Though I share Steve's sentiments on the anti-researcher bias, and I
agree with Gary's yin-yang conclusion, I really hate the question itself.
The disclosure question itself *presumes* that the current state of the
industry (defective products) is economically efficient. The premise
absolves vend
On Tue, 27 Feb 2007, J. M. Seitz wrote:
> Always a great debate, I somewhat agree with Marcus, there are plenty of
> "pimps" out there looking for fame, and there are definitely a lot of them
> (us) that are working behind the scenes, taking the time to help the vendors
> and to stay somewhat out
On 2/28/07, Gary McGraw <[EMAIL PROTECTED]> wrote:
Hi all,
The neverending debate over disclosure continued at RSA this year with a
panel featuring Chris Wysopl and others rehashing old ground. There are
points on both sides, with radicals on one side (say marcus ranum)
calling the disclosure
J. M. Seitz wrote:
> On a related note, does anyone have an example where Company A was
> disclosing vulnerabilities about competing Company B's product and got into
> trouble over it? Is this something that could be litigated?
In fact, Tom Ptacek found a hole in one of Marcus' products while
work
D]
On Behalf Of Gary McGraw
Sent: Tuesday, February 27, 2007 11:24 AM
To: SC-L@securecoding.org
Subject: [SC-L] Disclosure: vulnerability pimps? or super heroes?
Hi all,
The neverending debate over disclosure continued at RSA this year with a
panel featuring Chris Wysopl and others rehashing old
Hi all,
The neverending debate over disclosure continued at RSA this year with a
panel featuring Chris Wysopl and others rehashing old ground. There are
points on both sides, with radicals on one side (say marcus ranum)
calling the disclosure people "vulnerability pimps" and radicals on the
other
11 matches
Mail list logo
