[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: CERT, CIAC, etc. and unethical practices
From: Catherine Allen <Catherine.Allen () uniq ! com ! au>
Date: 1996-12-23 10:51:52
[Download RAW message or body]
> On top of this most people I know who've handed
> things to the CERT(s) not only do not receive a reply, but
> we do not see any visible action taken even after a month or more.
If you're going to say something this inflammatory, please do mention
*which* ERT/IRT you were dealing with.
Having worked at AUSCERT, I can say from experience that all mail is
answered. Having worked through some bug reports of this sort, I can
also say that the vendors were leaned on very heavily to actually *do*
something about the bug and that fixes were made available asap.
> I
> still do not understand the CERTs' attitudes towards some full disclosure
> groups and many individuals who are mainly interested in getting the holes
> fixed and are perfectly willing/happy to cooperate with vendors and
> CERT(s).
Because they're the poor bunnies who have to deal with all the sites that
get broken into due to published exploit scripts!
(there are generally a rash of sites that get cracked directly after the
publication of an exploit - then there are rashes of follow-on cracks
once the sniffer logs start filling :(
Personally, I consider publishing an exploit to be a sign that you are *not*
willing to work with a vendor (or an IRT). In effect, an exploit script
reduces the amount of time available to fix a problem to zero, which
encourages quick'n'dirty patches (likely sources of yet more bugs ):
> 8lgm,
> Dave Meltzer
Who've been acknowledged in previous AUSCERT advisories...
Catherine.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic