Based on my general impressions in day-to-day operations for CVE (around
150 new vulns a week on average), maybe 40-60% of disclosures happen
without any apparent attempt at vendor coordination, another 10-20% with a
communication breakdown (including they didn't answer in 2 days), and
the rest
On Mar 5, 2007, at 9:30 PM, Gary McGraw wrote:
I think some vendors have come around to the economics argument. In
every case, those vendors with extreme reputation exposure have
attempted to move past penetrate and patch. Microsoft, for one, is
trying hard, but (to use my broken leg
Kenneth Van Wyk wrote:
So, I applaud the public disclosure model from the standpoint of
consumer advocacy. But, I'm convinced that we need to find a process
that better balances the needs of the consumer against the secure
software engineering needs. Some patches can't reasonably be produced
On Tue, 27 Feb 2007, J. M. Seitz wrote:
Always a great debate, I somewhat agree with Marcus, there are plenty of
pimps out there looking for fame, and there are definitely a lot of them
(us) that are working behind the scenes, taking the time to help the vendors
and to stay somewhat out of
Though I share Steve's sentiments on the anti-researcher bias, and I
agree with Gary's yin-yang conclusion, I really hate the question itself.
The disclosure question itself *presumes* that the current state of the
industry (defective products) is economically efficient. The premise
absolves
J. M. Seitz wrote:
On a related note, does anyone have an example where Company A was
disclosing vulnerabilities about competing Company B's product and got into
trouble over it? Is this something that could be litigated?
In fact, Tom Ptacek found a hole in one of Marcus' products while
On 2/28/07, Gary McGraw [EMAIL PROTECTED] wrote:
Hi all,
The neverending debate over disclosure continued at RSA this year with a
panel featuring Chris Wysopl and others rehashing old ground. There are
points on both sides, with radicals on one side (say marcus ranum)
calling the disclosure
