Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Jul 2015 14:15:46 +0200
From: Martino Dell'Ambrogio <tillo@...lo.ch>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper
 - CVE-2015-3246 libuser

On 07/24/2015 11:47 AM, Leif Nixon wrote:
> [...]
>
> As I see it, there are two reasons for releasing working exploits
> without warning;
>
> 1) Forcing the hand of a non-responsive vendor,
>
> 2) Stroking a weak ego by showing off. (Or for marketing, but that comes
>    to the same thing.)
>
> Except for case 1, releasing a working exploit *does not help anybody*
> except the kiddies. If there are other reasons, I'd like to be told
> about them.
>
> If Qualys had released a slightly less detailed advisory, or even just
> left off the actual exploit, and given users a day or two to patch their
> systems before going full disclosure, the risk to innocent bystanders
> would have been much reduced.
>

Actually, releasing a working exploit helps our customers more often
than not.
In professional pentesting, proof of exploitation is essential.
Most often than not, a real attacker will invest time and resources into
a working exploit, the customer will not feel the need to invest into it
just for simulation.

Moreover, as soon as systems can be patched, they should be.
Of course a few hours delay is not realistic, but I want to be sure that
everyone understands how much "releasing a working exploit *does not
help anybody*" is false.

I urge researchers to continue to release their exploits into the public
domain.
Do it "responsibly", maybe get help in order to do it correctly, but do
it, because it's beneficial more than harmful to any potential target.

-- 
Martino Dell'Ambrogio
Security Auditor
Web: http://www.tillo.ch/
Email: tillo@...lo.ch



[ CONTENT OF TYPE application/pkcs7-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ