Date: Fri, 24 Jul 2015 14:15:46 +0200 From: Martino Dell'Ambrogio <tillo@...lo.ch> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser On 07/24/2015 11:47 AM, Leif Nixon wrote: > [...] > > As I see it, there are two reasons for releasing working exploits > without warning; > > 1) Forcing the hand of a non-responsive vendor, > > 2) Stroking a weak ego by showing off. (Or for marketing, but that comes > to the same thing.) > > Except for case 1, releasing a working exploit *does not help anybody* > except the kiddies. If there are other reasons, I'd like to be told > about them. > > If Qualys had released a slightly less detailed advisory, or even just > left off the actual exploit, and given users a day or two to patch their > systems before going full disclosure, the risk to innocent bystanders > would have been much reduced. > Actually, releasing a working exploit helps our customers more often than not. In professional pentesting, proof of exploitation is essential. Most often than not, a real attacker will invest time and resources into a working exploit, the customer will not feel the need to invest into it just for simulation. Moreover, as soon as systems can be patched, they should be. Of course a few hours delay is not realistic, but I want to be sure that everyone understands how much "releasing a working exploit *does not help anybody*" is false. I urge researchers to continue to release their exploits into the public domain. Do it "responsibly", maybe get help in order to do it correctly, but do it, because it's beneficial more than harmful to any potential target. -- Martino Dell'Ambrogio Security Auditor Web: http://www.tillo.ch/ Email: tillo@...lo.ch [ CONTENT OF TYPE application/pkcs7-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ