<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Publishing exploit code - what is it good for



[Because of all the broken autoresponders on bugtraq, the header From:
is a bitbucket.  Use the address in the signature to reach me.]

>> Quote: " If I speak to an end-user organization and they express
>> legitimate needs for exploit code, then I'll change my opinion."

Well, I'm not an end-user organization, but as an end user[%], the
major benefit I see to full disclosure is that it appears to be close
to the only thing that has any real success at getting vendors to fix
bugs.  (In general.  There certainly are vendors that stay on top of
things without needing the prod of public exploit disclosure.  But they
are notable by their rarity.)

[%] "End user" is not the only hat I wear.  It's just the one I'm
    wearing here.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               mouse@xxxxxxxxxxxxxxxxxxxxxx
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B