oracle not only offeder - researchers NOT responsible?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: oracle not only offeder - researchers NOT responsible?
From: Gadi Evron <ge@xxxxxxxxxxxx>
Date: Sun, 11 Dec 2005 02:38:52 +0200
Cc: David Litchfield <davidl@xxxxxxxxxxxxxxx>, funsec@xxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

The following is a very well researched text from Matthew Murphy's blogdiscussing the matter of disclosing vulnerabilities to many vendors (andspecifically Microsoft). Further, as I understand it, he shows howvendors today use terms such as "responsible disclosure" to scareresearchers and claim they are NOT responsible if they don't do it theirway.

While I certainly did not dispute the facts that David Litchfield showedof Oracle's behaviour, I did not agree with how he did it or that Oracleis alone.

Oracle is not the only offender, and while I agree that Microsoft hascome a LONG way and takes security a whole lot more seriously than theyused to.. they still seem to not understand the security community andtreat security as a PR problem.

He shows specific cases and vulnerabilities, and is worth a read. QuiteRefreshing and very informative.


http://blogs.securiteam.com/index.php/archives/133

        Gadi.

Prev by Date: Re: Re: [KAPDA::#16] - SMF SQL Injection
Next by Date: Re: Re: [KAPDA::#16] - SMF SQL Injection
Previous by thread: Guestserver guestbook system vulnerabilities
Next by thread: [USN-227-1] xpdf vulnerabilities
Index(es):
- Date
- Thread