[syslog-ng]syslog-ng crash

William D. Colburn (aka Schlake) wcolburn@nmt.edu
Mon, 4 Feb 2002 09:53:31 -0700

I've sent my disclosure to Balazs, and I'm posting here about my ethical
viewpoint on bug disclosure.

I feel that disclosure is a good thing, but I also think that
good-neighbor ethics requires a private disclosure first.  The vendor of
the software needs a chance to address the issue and have a fix ready
before the vulnerability makes the prime time.  Full disclosure can
sometimes be a tool to force a vendor to fix their product as well.

On Mon, Feb 04, 2002 at 04:50:36PM +0100, Balazs Scheidler wrote:
> > > > Normally I would disclose the crash to the list, but if no fix will be
> > > > forthcoming I am afraid too let other people know how to down a server.
> I'm here and available, I was skiing for a week. ;)

William Colburn, "Sysprog" <wcolburn@nmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/     http://www.nmt.edu/~wcolburn