Security threats Toolkit
Story: Do 'irresponsible' security researchers help or hinder?
Posted by: Anonymous (Tuesday 1 February 2005, 6:52 PM)
Let's face the issue head on! When a company knows of a security flaw in its software and fails to patch it whenever it is discovered, they are acting irresponsibly.
Senario - I discover a flaw and report it to the vendor. Vendor may acknowledge, disregard, or claim need for further research, then sit back and see if the flaw is exploited. The Vendor will select which consumer gets notified and probably use non-disclosure policies to prevent further publication. Then when a non customer (security flaw hunter) posts the flaw, they cry foul, while at the same time knowingly leave many users of their product open to attack.
My thoughts are it is best for all, that these flaws be publicized because just as security researchers find these shortfalls, so can malicious "crackers"; you can bet that the underground communications systems will expose them to a segment of people who will exploit the security flaw.
Full Talkback thread
Story: Do 'irresponsible' security researchers help or hinder?
-
I'm afraid my take on the whole disclosure uproar... Todd Knarr -
In my view it's OK to give the vendors some t... Arthur B. -
Here are a few key points:
1st: The guys who write... Michael
-
Mitsubishi Motors in Japan hid critical informatio... Anonymous
-
Let's face the issue head on! When a company knows... Anonymous
Back to: Do 'irresponsible' security researchers help or hinder?
