If the vulnerability has been there for a long time, delaying the information for a few months and then fixing it will be less of a risk then publishing the details immediately. If it's a new vulnerability, the responsible thing to do is to publish the fact that there is a vulnerability in that update.
The (somewhat simplified) way that IBM handles this for z/OS is via hold data and customer notification of security fixes. IMHO that works well. Mind you, keeping details secret is a holding action pending development and testing of a fix; it is in no way an excuse for not making a fix available ASAP. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Bob Bridges [robhbrid...@gmail.com] Sent: Sunday, February 13, 2022 8:19 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem' This is the old problem: Do you publicize what the problems are, so that the bad guys will find out? Or do you not detail the vulnerabilities, so that the good guys don't know how to protect themselves? I come down on Cliff Stoll's side. The bad guys out there already know; in his book he gives the details so the good guys can fix the problems. One might think "only SOME of the bad guys know; do we want them ALL to know?". But the bad guys are telling each other where the holes are. And since our work is defensive, not offensive, it doesn't matter whether there are a thousand bad guys who know the factory-default password, or only a hundred; all it takes is one and I'm vulnerable if I don't change it. So on the whole, I'm in favor of publishing the holes. I suppose if a fix can be implemented in a day or two, it might make sense to hold off that long. But if it's a matter of a week, I think publishing is better. That’s my vote, anyway. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Shoveling the driveway before it has stopped snowing is like cleaning your house before your kids are grown. */ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Itschak Mugzach Sent: Sunday, February 13, 2022 02:23 very responsible. Meanwhile, the client is open for attacks. However, he can't protect himself since no one reported it affects his MF. --- בתאריך יום א׳, 13 בפבר׳ 2022 ב-3:42 מאת Seymour J Metz <sme...@gmu.edu>: > I believe that developing a fix before you disclose the vulnerability > is the responsible thing to do. > > ________________________________________ > From: David Crayford [dcrayf...@gmail.com] > Sent: Saturday, February 12, 2022 6:17 PM > > Are you sure the attacker doesn't have the code? A huge percentage of > hacks come from insider threats. In the case of Solar Winds the > attackers had the code and access to the build pipeline. > > --- On 13/2/22 3:38 am, Itschak Mugzach wrote: > > If someone develops code that is vulnerable, only the organization > > he works for is (potentially) affected and the attacker does not > > have access to the code to play with. With open source, the code is > > accessible to everyone, and the problem hits millions of > > organizations. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
