[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayervulnerabilities

To: "Pavel Kankovsky" <peak@xxxxxxxxxxxxxxxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayervulnerabilities
From: "Jason Coombs PivX Solutions" <jasonc@xxxxxxxxxxx>
Date: Sat, 9 Oct 2004 06:29:57 +0000 GMT

> 0. ("The primordial sin") The
> vulnerable product is released ...
> ...
> Vendors must work much harder
> to avoid releasing ... code ...

Absolutely correct. Vendors who release code are the core problem.

Vendors should not release code, they should release its source.

Where this is not done, vendors should at least release a detailed code map and 
important security-related excerpts of the source as part of a forensic 
analysis report about the code that enables a skilled person to more easily 
read through the code with a hex editor and disassembler in a reasonable amount 
of time and decide whether to use the vendor's product as-is or whether to 
modify it to take out parts that expose unwarranted features and unwanted risk.

We simply must stop executing other people's OTS code.

Regards,

Jason

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.
Next by Date: SV: [Full-Disclosure] JPEG GDI+ (MS04-028) Exploit @ http://home.zccn.net/mm2004
Previous by thread: SV: [Full-Disclosure] JPEG GDI+ (MS04-028) Exploit @ http://home.zccn.net/mm2004
Next by thread: [Full-Disclosure] [ GLSA 200410-06 ] CUPS: Leakage of sensitive information
Index(es):
- Date
- Thread