[VIM] Re: [Full-disclosure] Secunia published adviso withoutrespectingrelease date ! (fwd)

security curmudgeon jericho at attrition.org
Sat Jul 16 05:25:02 EDT 2005 


---------- Forwarded message ----------
From: Xavier Beaudouin <kiwi at oav.net>
To: Jerome Athias <jerome.athias at free.fr>
Cc: full-disclosure at lists.grok.org.uk
Date: Sat, 16 Jul 2005 11:17:50 +0200
Subject: Re: [Full-disclosure] Secunia published adviso withoutrespectingrelease
      date !


Le 16 juil. 05 à 03:59, Jerome Athias a écrit :

> 2 things i remind myself...
> 
> 1) http://seclists.org/lists/vulndiscuss/2004/Dec/0006.html

Yes. I received this one. But I still don't agree that Secunia didn't take the 
time to inform The Caudium Group *before* sending this "advisory" to security 
lists.

This is _not_ fair and positivement a bad way to be *respected* on security 
advisory.

This also the reason why we decided (we = caudium group) to close bug tracker 
at sourceforge to avoid false information to be sent.

Usualy the idea is :

bug/security problems found -> draft of advisory is sent to developpers to get 
more accurate information -> time to make a fix -> advisory is sent

Secunia has just taken a bug from our tracker *without* telling the Caudium 
Group that are taking this for makeing a advisory, and just sent it to security 
lists with _false_ information.

I still consider that this is half done work and they are not nice people when 
they make advisory.

So because of that half done work, all Caudium Group developpers now don't 
trust anymore Secunia. I am sorry for them, but this is the way they make the 
advisory without contacting authors that give us this situation.

> 2) This is an answer of Thomas before a disclosure of some vuln that Secunia 
> found "at the same time" :
> 
> 10/09/2004 19:40
> 
> Re: OpenOffice World-Readable Temporary Files Disclose Files to Local Users
> 
> Hi Jérôme,
> 
> This issue was originally discovered by Secunia on 16th August and
> reported to the vendors.
> 
> Please do not forward to anyone else. The various vendors well release
> updates on Wednesday in a co-ordinated disclosure.
> 
> Kind regards,

They didn't get so smarter with us. We still don't accept this fact.
If they where so smart we still trust them. They were not so they are
their own victim of their half work for Caudium group advisory.

/Xavier

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

More information about the VIM mailing list