On Wed, 26 Apr 2006, Tim Bilbro wrote: > You do a disservice to all IT shops by announcing these vulnerabilities > before contacting the vendor.
How were you impacted? What were your damages? The only loss that could possibly occur to you or your company was the time you wasted to write this rant, and the subsequent damage to your reputation if you turn this into a fully-fledged and entirely counterproductive flamewar. In case you didn't notice, I *do* work with vendors; not because I believe that a particular disclosure policy is morally superior, but because I chose to. Microsoft is a rare exception to this rule, for a couple of reasons. Why, you ask? It is my unsubstantiated opinion that they consistently, unreasonably delay disclosure of problems; that they don't participate in the vulnerability research community in any way, while trying to impose artbitrary standards and punish certain researchers (often employing borderline extortion practices); and that they routinely communicate false pretenses when dealing with the media regarding known security issues. I can't make a difference, but I'm one of the few folks who can still afford this small degree of civil disobedience. > I am sure it would not generate as much web traffic to your site Oh, tragic. Generating traffic to my ad-free webpage is precisely why I spend hours researching problems. Now you see why I couldn't handle it any other way. > Would you go around town checking which stores are unlocked at night and > then publish the list in the news before letting the shop owners know? I see that you took the "bad analogy 101" course in the logical fallacy class? /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/