Re: [Full-Disclosure] Beta Advisories

["Poof" <poof@xxxxxxxxxxxxx>]

Well, I'm personally all for announcing a beta advisory. However, when I'm 
all for it is as follows:

Example. Eudora posts a PUBLIC beta on their website. Then fine, announce 
the bug anywhere. However, when it's private. It should go the normal bug 
ways. To the devs so they can fix it. Fine, it may take a build or two. But 
it'll be fixed.

Also, I do consider gmail slightly private as it IS 'invite only'. So yes, 
you should wait before reporting this. On betas the devs are usually extra 
busy as they're currently having to write code everywhere. They're not just 
lounging around waiting for bug reports.

~
Yes, I know this isn't written very well... However...



> Yes, and the OIS guidelines are thinly veiled "Oh please don't tell the
> world that we have had this bug for 6 months...we'll look bad" methods for
> being able to quash the full disclosure model and take the  pressure of
> "respond to me, get it fixed, or thr world is going to know about it" off
> the vendors.  Do you really think that the vendors will expend resources
> to fix things just because it is "the right thing to do"?   Please tell me
> you're not that naive...please.
>
> I'm not advocating playing bombs away, sneak attacking a vendor by issuing
> a 0-day disclosure publicly.  I sure as hell am saying that a vendor
> knowing the vuln will in fact be disclosed after a reasonable period of
> time, fixed or not, has certainly motivated more than a few to get the fix
> done prior to taking a public black eye.
>
> Bart Lansing
> Manager, Desktop Services
> Kohl's IT

Attachment: smime.p7s
Description: S/MIME cryptographic signature