[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities

To: "Drew Copley" <dcopley@xxxxxxxx>
To: "Windows NTBugtraq Mailing List" <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxx
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities
From: "Jason Coombs PivX Solutions" <jasonc@xxxxxxxxxxx>
Date: Fri, 8 Oct 2004 01:35:43 +0000 GMT

Drew Copley wrote:
> ... ... ... ... ... ..., and, ... ... ...

Drew,

That such long and detailed explanations rationalizing, defending, and 
disputing disclosure policies, and correcting innacurate allegations concerning 
one's disclosure practices of the past, are necessary at all is proof that 
there are only two options: black or white. 

There are no gray areas when it comes to disclosure. Disclosure is something 
that good people do. Non-disclosure is something that bad people do. Be careful 
with asserting that there are lines somewhere in a gray area over which people 
should not step, for any such line is going to be a moving target, at best, and 
move right on past you while you are standing still, at worst, creating a 
condition where your own disclosures appear to have been malicious when viewed 
in retrospect.

To disclose, or not to disclose. That is the question.

If somebody of technical skill who has chosen disclosure decides that the 
circumstances warrant immediate full disclosure with proof of concept, then 
that is the action that must be taken. To do otherwise would be to go against 
one's own conscience, the core of which is already proved 'good' by the fact of 
the decision to disclose.

The longer one chooses non-disclosure, and the more willfully one does so, the 
less 'good' that disclosure appears - particularly after considering all of the 
technical truths about information security research and reverse engineering 
that you so carefully and corectly articulated.

Immediate full disclosure that cannot be disputed and leaves no room for debate 
immediately helps anyone who chooses to receive and consider the disclosure. 
Everything else serves only to delay and obscure that clear and urgent security 
alert communique, increasing the window of exposure and the Total Risk of 
Ownership needlessly.

Sincerely,

Jason Coombs
jasonc@xxxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] House approves spyware legislation
Next by Date: Re: [Bulk] RE: [Full-Disclosure] House approves spyware legislation
Previous by thread: Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities
Next by thread: [Full-Disclosure] Symantec Security Report 1V
Index(es):
- Date
- Thread