Re: [Full-Disclosure] Re: Cisco's stolen code

[Mister Coffee <live4java@xxxxxxxxxxxxxxx>]

Jason,

Your middle of the road approach is probably the best.  Proper advisory release 
process would have "us" notify the vendor of a code flaw and give them time to 
respond and post an advisory before releasing a sploit or advisory to the wild 
ourselves.  Timeframe would depend on the severity, and it would probably be 
fine to give people a heads up on the issue. 

(Without being overly specific.  e.g. "There's a potentially bad bug in IOS.  
Vendor's been notified.  Enable "STOP_EVIL_HAXOR" to mitigate the threat.  
Vendor will release details.")

I'm not sure it came across in my post, but for discussion's sake I was 
assuming the advisory was being released with the honest intention of 
protecting infrastructure, rather then as an attempt to gain glory.

Cheers,
L4J

On Wed, May 26, 2004 at 12:52:06PM -0400, Jason Weisberger wrote:
> I think the line needs to be drawn somewhere in the middle.  Using
> stolen Cisco code to find vulnerabilities in their software and
> publishing advisory notices based on stolen code is unethical.  A common
> middle-ground would be to inform the company and not publish the
> advisory.  In this way, the company can release it's own advisory and
> will probably let you go unchecked.  If it's fame and fortune you're
> looking for, then release the advisory while realizing the risk of being
> sued by Cisco for posession of their intellectual property.
> 
> I suggest being humble.
> 
> Jason Weisberger
> http://www.csrev.com
> 
> Mister Coffee wrote:
<long assed thread snipped> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html