The possibility of disclosure may make some people reluctant. I'm not reluctant and I'm fairly sure there are other people smarter than me who are not reluctant.
It is unlikely that an integrity hole is so obscure, that only one person will discover it. So it is race between the good guys and the bad guys. Both groups have smart people, so there is no guarantee which group will win. If the bad guys find it first, then they get to take advantage of it until the hole is closed. If good guys find it first, then the hole has a chance to be closed before the bad guys can capitalize on it. Of course, the vendor has to get their customers to apply the fix. Unless the fix is obviously completely painless and fool-proof, some customers may be reluctant to apply them. The vendor may need to disclose details in order to convince them; unless there is a new law that requires that all integrity fixes be applied, no questions asked. Don Williams -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Shmuel Metz (Seymour J.) Sent: Tuesday, April 06, 2010 10:30 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use In <!&!AAAAAAAAAAAYAAAAAAAAAIH+nruO4exAufAxNTnNpHSCxBIAEAAAACA1rFVV8e9NiM0/VBX0 taybaaaaa...@gmail.com>, on 04/05/2010 at 10:54 PM, Don Williams <donb...@gmail.com> said: >I agree that the discussion between the reporter and developer should be >secret, at least until the developer provides a solution or refuses. But >that's not the question I was trying to comment on. I was more interested >in the disclosure that IBM (or software vendor) has with their >customers. If the vendor discloses it then the conversation between the reporter and the developer *isn't* private. That may lead to a reluctance to report integrity exposures at all. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see <http://patriot.net/~shmuel/resume/brief.html> We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html