Date: Tue, 10 Apr 2001 23:32:53 -0500 From: Christopher Schulte <christopher@schulte.org> To: "Crist Clark" <crist.clark@globalstar.com>, Nicole Harrington <nmh@daemontech.com> Cc: Ben Smithurst <ben@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG, Michael Bryan <fbsd-secure@ursine.com>, Michael Nottebrock <michaelnottebrock@gmx.net> Subject: Re: Security Announcements? Message-ID: <5.1.0.12.0.20010410232348.00ac7870@pop.schulte.org> In-Reply-To: <3AD39518.CFE8CB46@globalstar.com> References: <XFMail.010410154347.nmh@daemontech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 04:19 PM 4/10/2001 -0700, Crist Clark wrote: >A classic debate/flamewar, should the vendor notify before the fix >is available? Been discussed to death a zillion times, and I will not >start it again, but most vendors (Sun, Cisco, Microsoft) do not release >notices until a solution is available. In extreme cases, a notice /may/ >be put out if the vulnerability is publically disclosed, very serious, >and some workaround is available. In the case of an internal audit finding a new vulnerability or bug for which a fix is not available and knowledge of bug not believed to be 'in the wild', full public disclosure can be both inappropriate and harmful. In the case of a publicly available bug (ftpd, ntpd, bind, foo), timely notification is critical. Even if no workarounds or fixes are included. My posts here are directed solely toward publicly aware bugs. >-- >Crist J. Clark Network Security Engineer >crist.clark@globalstar.com Globalstar, L.P. >(408) 933-4387 FAX: (408) 933-4926 --chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.12.0.20010410232348.00ac7870>