[VIM] Dana Epp on responsible disclosure and VDB's
security curmudgeon
jericho at attrition.org
Tue Aug 23 17:36:46 EDT 2005
: A recent blog entry by Dana Epp calls SecurityFocus to task for
: publishing a BID on a third party researcher's report of a buffer
: overflow that had not been coordinated with the vendor:
:
: Please act more responsibly "AT ma CA". And you too Symantec (the
: owners of Security Focus). You aren't helping the industry when you
: do this. You hurt it.
:
: http://silverstr.ufies.org/blog/archives/000849.html
:
: Given the growing frequency of these kinds of complaints, it feels like
: vuln DB's are going to be visibly targeted one of these days.
Interesting! I noticed you posted after I submitted my own:
"It took me less than a minute to see that v2.93 just came out and that
there was no way that responsible disclosure was used in relation to this
advisory."
Ok, how long did it take you to check the disclosure for the other dozen
vulnerabilities released that day? How about the days when we see as many
as 100 vulnerabilities released? Does it matter that SecurityFocus posted
it 24 hours after other security sites did, and posted it likely knowing
that it was already public?
You should also correct the version number above, as 9.23 was affected,
not 2.93. If you ran a database, some folks may complain about the
inaccurate information you provide as well.
Posted by: security curmudgeon at August 23, 2005 02:30 PM
More information about the VIM
mailing list