OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1994: Re: In reply to comments about new policy

Re: In reply to comments about new policy

John DiMarco (jddcdf.toronto.edu)
Tue, 29 Nov 1994 13:15:28 -0500

In message <m0rCHck-000AfbClegless.demon.co.uk>you write:
>Firstly, apologies for not replying to everyone who has contacted us
>directly, I'd be here all night if I did.
>
>Before I start, I'd like to confirm that both Karl and myself are 100%
>behind full disclosure.
>
>However, if you recall, due to a lot of criticism of the way we were
>publishing advisories, we requested comments on how we should provide
>further information.  This new style was defined by the user community
>at large, we didn't decide on it.  If you want to vent your feelings,
>go on comp.security.unix and do it there, thats where you will find
>the creators of this new style.

Surely there is a third way: time-lapsed full disclosure. When a problem is
discovered, don't announce it until there's a patch, then announce the problem
and the patch together, without exploitation information. 

After a suitable time (weeks?) has passed, the rest of the information can be
announced.  But don't post scripts to exploit the bug; it gives root to too
many newbies.

Announcing: "there's a problem here, go bug your vendor" isn't very helpful. 
Announcing: "there's a problem here; here's how to use it to become root" is
dangerous, because you set up a race between sysadmins and hordes of newbies
all trying to exploit the bug before it is patched.

Regards,

John
--
John DiMarco <jddcdf.toronto.edu>                        Office: EA201B
Computing Disciplines Facility Systems Manager            Phone: 416-978-1928
University of Toronto                                     Fax:   416-978-1931
http://www.cdf.toronto.edu/personal/jdd/jdd.html