sharpy merc
join:2003-01-28
England
| Flaws,exploits and zero-days should they be kept secret?
This is an incredibly two sided argument.
The YES camp: with the less people who know the easier it is to fix (and pretend it was never there). Point of view
The NO camp: With the more its published the faster it'll get fixed (sadly many more people will be affected, till it is). attitude
so whats your take and what camp are you in?
BTW if an argument makes you change your mind in either direction that would be interesting |
|
TearAbite
join:2001-07-25
Rancho Cucamonga, CA | i guess NO:
If i find an exploit, that means that all the people that are smarter than me will also find it at some point.. I would notify the manufacturer, give them some time to react (say, 30 days) - THEN publish it (without exact details).. |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub | reply to sharpy merc
The question is much to simple, it depend on. Varied factor and circumstances play a role so I can not vote with yes or no. Every flaw/exploit have to be analysed/judged on itself. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to sharpy merc
The best practice, as far as I can tell is:
Immediately notify the developers of the affected software. Ideally, the developers will start working on a solution.
Notify the general public when any of the following have occurred:
(a) the developer has an effective solution that is ready to be put in place;
(b) information on the flaw has already leaked, so the public needs to be warned;
(c) substantial time has passed, the developer does not seem to be working on the problem, and publication is the only way to put pressure on the developer.
It is my impression that such practices are already followed by many.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.15 |
|
