Re: Pro Disclosure (was Re: UnixWare)

Paul A Vixie (paul@vix.com)
Sat, 30 Apr 1994 01:00:46 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bennett Todd: "Re: Pro Disclosure (was Re: UnixWare)"
Previous message: Bennett Todd: "Re: Pro Disclosure (was Re: UnixWare)"
In reply to: Bennett Todd: "Re: Pro Disclosure (was Re: UnixWare)"
Next in thread: Bennett Todd: "Re: Pro Disclosure (was Re: UnixWare)"

I think this anti-CERT sentiment is misplaced.  If someone tells CERT about
a bug and CERT manages to tell the vendors about the bug, before _everybody_
knows about the bug, then it seems to me that a good service has been done.

Generally what happens is:

	a bad guy finds a hole
	lots of bad guys use the hole
	some good guy notices the hole being used, and tells CERT
	CERT tells the vendors
	some vendors get a binary patch together; others ignore it
	CERT tells the world of the existence (but not details!) of the hole,
		and gives references to the vendor's patches, and suggested
		workarounds
	the rest of the bad guys learn about and use the hole
	the good guys eventually figure out what the hole was

i, like others on this list, would like the last step shown above to come
earlier in the script than it does now.  but since there is no way to give
information to _just_the_good_guys_ or at least enough of them to matter,
i think CERT's approach approaches do-least-evil.  and they do some good.
if anyone here has a better approach in mind, let's hear it, ok?

[ the last major hole CERT reported was one of mine :-( ]

Next message: Bennett Todd: "Re: Pro Disclosure (was Re: UnixWare)"
Previous message: Bennett Todd: "Re: Pro Disclosure (was Re: UnixWare)"
In reply to: Bennett Todd: "Re: Pro Disclosure (was Re: UnixWare)"
Next in thread: Bennett Todd: "Re: Pro Disclosure (was Re: UnixWare)"