On 2/6/2005 4:31 PM, Greg Stark wrote:
Jan Wieck <JanWieck@xxxxxxxxx> writes:
No, Peter.
Posting a vulnerability on a public mailing list "before" there is a known fix for it means that you put everyone who has that vulnerability into jeopardy. Vulnerabilities are a special breed of bugs and need to be exterminated a little different.
Many people disagree with this. Posting the vulnerability isn't what puts
people into jeopardy, the presence of the vulnerability puts people in
jeopardy. Posting it at least allows people to disable the feature or close
off access. Or at least monitor for possible intrusions. Not posting it leaves
people in jeopardy and in the dark about it.
If you think you're the first one to find the vulnerability you're probably
wrong. Often malicious hackers who search for vulnerabilities find them and
keep them secret long before they're reported.
How would you feel if your system was compromised and then you found out later that it was a known security hole in a feature you had no need for and the vulnerability had been kept secret?
It's interesting that everyone advocating for "immediate public report" is allways talking about vulnerabilities that can be taken care of by disabling some unused feature. What do you do if you find a vulnerability in the text/varchar data type multibyte handling? Still tell the world about it before having a fix?
Jan
-- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #================================================== JanWieck@xxxxxxxxx #
---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives?
http://archives.postgresql.org
