Ed Felten and I found out early on (back in 1996) that you can use the press as a lever to get companies to do the right thing. We learned this when releasing the very first Java Security hole. We found out that Sun paid much more attention once USA Today picked up the story from comp.risks.
Later, we could disclose the problems responsibly, keeping a short leash on Microsoft, Netscape, and Sun without ever resorting to FULL disclosure. Our goal was to get the problems fixed with no nonsense. The companies also allowed the press to be responsibly involved. We discussed all of the problems we found in our books "Java Security" and "Securing Java", but without ever releasing code for the exploits. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -----Original Message----- From: Blue Boar [mailto:[EMAIL PROTECTED] Sent: Friday, November 03, 2006 12:50 PM To: Gary McGraw Cc: [email protected] Subject: Re: [SC-L] On exploits, hubris, and software security Gary McGraw wrote: > The main thing I wonder is, what do you think? When you have a hot > demonstration of an exploit, how do you responsibly release it? What > role do such demonstrations play in moving software security forward? To pick one extreme, I believe there are times when intentionally blindsiding a vendor is appropriate: http://ryanlrussell.blogspot.com/2006/11/you-want-mac-wireless-bugs.html BB ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- _______________________________________________ Secure Coding mailing list (SC-L) [email protected] List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
