> reasons. I'd like to point out a couple examples, and > promote discussion as to how this misinformation > affects the security community and the non-experts who > rely on this information to be valid. This problem has been solved in several other sectors of buisness. If you're relying on contractual statements to be valid in court you should rely on an attorney. You will feel more secure if your attorney has a good track record, and is respected by peers of both the attorney and corporations such as yourself. You can't be 100% sure that everything's going to hold up until you go to trial. The same is true with software vulnerabilities. Any researcher who's worth his salt has been up against software that has an error condition whose parameters are not straight forwardly exploitable yet has found a way to exploit it. I am aware of two or three organizations that are in the top of the game with respect to this type of information and if I could speak openly about such organizations a lot of the information I have would suprise you. Not all top 5 security corporations are what their websites/client lists would make them out to be. > You are likely not going to see any more than the DoS You just had to use the term likely which softens the impact of this sentence. Rightly so too. You have not thoroughly investigated all of the attack vectors and the memory layout of each process, and the internals of the functions in question, etc. When it gets down to it, proving something isn't exploitable can be quite like mathematically proving an operating system is secure. As I said previously, there are some vendors who you can trust with their opinion to a sound level and some who are snake oil. Regards, Evol
