I've sent my disclosure to Balazs, and I'm posting here about my ethical viewpoint on bug disclosure. I feel that disclosure is a good thing, but I also think that good-neighbor ethics requires a private disclosure first. The vendor of the software needs a chance to address the issue and have a fix ready before the vulnerability makes the prime time. Full disclosure can sometimes be a tool to force a vendor to fix their product as well. On Mon, Feb 04, 2002 at 04:50:36PM +0100, Balazs Scheidler wrote:
Normally I would disclose the crash to the list, but if no fix will be forthcoming I am afraid too let other people know how to down a server.
I'm here and available, I was skiing for a week. ;)
-- William Colburn, "Sysprog" <wcolburn@nmt.edu> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn