Simple Nomad said: >A series of evil packets will cause me to have remote root access to >Windows, Linux, and MacOS/X. Due to the nature of the vulnerability, I >will not be releasing any details. In fact, it is so secret even *I* >don't know the details, but I am *positive* that when I see someone >else post my work, I should get full credit, right? Great point. Seriously, though - this is becoming a big problem on these lists. If you don't post details, *and* you don't coordinate with the vendor, then you have provided ZERO actionable information, not to mention causing confusion when some details do come out in later disclosures - is it the same issue or not? Are customers protected or not? It's not just disclosures by unknown parties, either - some great examples of this are the GLEG and Immunity pay-to-play disclosures that don't include any vendor notification. For example, a GLEG proFTPd report caused no end of havoc for all parties concerned, including the Linux distros themselves, although at least there was a back-reference to make the connection, which is still pretty rare for a vendor. And there's also some difficulty in handling disclosures with a grace period in products whose vendors do not provide credits, as happens with NGS Software sometimes. Lately, CVE has started taking the approach that if there's no actionable information, *and* the researcher is not known to be reliable, then the reports amount to little more than rumors until proven otherwise. We assume (perhaps mistakenly) that reliable researchers have done their homework and are reporting new issues. Vulnerability information is noisy enough as it is without adding vague, unactionable claims into the mix. - Steve
