Re: In reply to comments about new policy
John DiMarco (jdd@cdf.toronto.edu)
Tue, 29 Nov 1994 13:15:28 -0500
In message <m0rCHck-000AfbC@legless.demon.co.uk>you write:
>Firstly, apologies for not replying to everyone who has contacted us
>directly, I'd be here all night if I did.
>
>Before I start, I'd like to confirm that both Karl and myself are 100%
>behind full disclosure.
>
>However, if you recall, due to a lot of criticism of the way we were
>publishing advisories, we requested comments on how we should provide
>further information. This new style was defined by the user community
>at large, we didn't decide on it. If you want to vent your feelings,
>go on comp.security.unix and do it there, thats where you will find
>the creators of this new style.
Surely there is a third way: time-lapsed full disclosure. When a problem is
discovered, don't announce it until there's a patch, then announce the problem
and the patch together, without exploitation information.
After a suitable time (weeks?) has passed, the rest of the information can be
announced. But don't post scripts to exploit the bug; it gives root to too
many newbies.
Announcing: "there's a problem here, go bug your vendor" isn't very helpful.
Announcing: "there's a problem here; here's how to use it to become root" is
dangerous, because you set up a race between sysadmins and hordes of newbies
all trying to exploit the bug before it is patched.
Regards,
John
--
John DiMarco <jdd@cdf.toronto.edu> Office: EA201B
Computing Disciplines Facility Systems Manager Phone: 416-978-1928
University of Toronto Fax: 416-978-1931
http://www.cdf.toronto.edu/personal/jdd/jdd.htm