William D. Colburn (aka Schlake)
Mon, 4 Feb 2002 09:53:31 -0700
I've sent my disclosure to Balazs, and I'm posting here about my ethical
viewpoint on bug disclosure.
I feel that disclosure is a good thing, but I also think that
good-neighbor ethics requires a private disclosure first. The vendor of
the software needs a chance to address the issue and have a fix ready
before the vulnerability makes the prime time. Full disclosure can
sometimes be a tool to force a vendor to fix their product as well.
On Mon, Feb 04, 2002 at 04:50:36PM +0100, Balazs Scheidler wrote:
> > > > Normally I would disclose the crash to the list, but if no fix will be
> > > > forthcoming I am afraid too let other people know how to down a server.
> I'm here and available, I was skiing for a week. ;)
William Colburn, "Sysprog" <firstname.lastname@example.org>
Computer Center, New Mexico Institute of Mining and Technology