Alfred Huger wrote: > > Heya all, > > Most of you who are long time users of this list know I tend to avoid > conversations on-list about full-disclosure. I'm of the opinion it's a > religious discussion with little or no merit for debate given that people > are unlikely to move from their current position. > > Having said this every now and then something does occur within our > industry to spur discussion. In this case I came across something which > directly impacts the Pen-Testing arena and I would like to throw it out > for open discussion. The event in question is a new Vendor Notification > Alert Scheme the folks over at NGSSoftware announced yesterday. The > announcement can (and should be) read at: > > http://www.nextgenss.com/news/vna.html >
Seems to me like a thinly vieled marketing announcment. Worked, too. I don't notice anything _too_ radically seperated from well known vulnerability disclosure methods, with the singular exception that they do not make accomodations for a responsive vendor who has not yet released a patch, which is on contrast to the RFPolicy, a well known disclosure roadmap, and the referenced Christey-Wysopal policy. I read it as "Buy our scanner and you'll have access to vulnerabilities others don't yet have". -Ds ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
