[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Information Week: 2/3 of pros want immediate disclosure
- To: "Ron DuFresne" <dufresne@xxxxxxxxxxxxx>, "Steven M. Christey" <coley@xxxxxxxxx>
- Subject: RE: [Full-Disclosure] Information Week: 2/3 of pros want immediate disclosure
- From: "Ingevaldson, Dan (ISS Atlanta)" <dsi@xxxxxxx>
- Date: Thu, 8 Jul 2004 14:16:33 -0400
Figures lie and liars figure. It's all in the way the question was
phrased:
"When should software vendors disclose software vulnerabilities to their
customers?" This was the wording in the InfomationWeek article that
Steve posted. 66% said "immediately".
What would the results look like if you asked a loaded question that
leaned in the other direction?
"Should software vendors disclose information about software
vulnerabilities to the global hacking community at the same time as all
their customers who haven't yet implemented a working patch management
process?"
I imagine the results would be slightly different. Take this study with
a grain of salt.
------------------
Daniel Ingevaldson
Director, X-Force R&D/PSS
dsi@xxxxxxx
404-236-3160
Internet Security Systems, Inc.
Ahead of the Threat
http://www.iss.net
-----Original Message-----
From: full-disclosure-admin@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of Ron
DuFresne
Sent: Thursday, July 08, 2004 12:04 PM
To: Steven M. Christey
Cc: Full-Disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Information Week: 2/3 of pros want
immediate disclosure
Which adds to the full disclosure debate a resounding, disclose asap.
And shows that many in the industry feel this is needed to not only
address issues in their envs as quickly as possible to mitigate problems
until a fix/poatch is available, but, that most feel dicslosure puts the
pressure on their vendors to respond to issues as they become discolsed.
Thanks,
Ron DuFresne
On Wed, 7 Jul 2004, Steven M. Christey wrote:
>
> Information Week just posted an article titled "Disclosure: Security
> Pros Want Flaw Information Sooner" in which they surveyed 7,000
> business technogology and security professionals. 66% argued for
> immediate disclosure upon discovery, and another 32% wanted disclosure
> once a patch was available, leaving only 2% who said that there was no
> need to disclose vulnerabilities at all:
>
>
> http://www.informationweek.com/story/showArticle.jhtml?articleID=22103
> 495
>
> - Steve
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html