Slashdot Mirror


Hackers Disagree On How, When To Disclose Bugs

darkreadingman writes to mention a post to the Dark Reading site on the debate over bug disclosure. The Month of Apple Bugs (and recent similar efforts) is drawing a lot of frustration from security researchers. Though the idea is to get these issues out into the open, commentators seem to feel that in the long run these projects are doing more bad than good. From the article: "'I've never found it to be a good thing to release bugs or exploits without giving a vendor a chance to patch it and do the right thing,' says Marc Maiffret, CTO of eEye Security Research, a former script kiddie who co-founded the security firm. 'There are rare exceptions where if a vendor is completely lacking any care for doing the right thing that you might need to release a bug without a patch -- to make the vendor pay attention and do something.'"

3 of 158 comments (clear)

  1. Re:Government Oversight by Anonymous Coward · · Score: -1, Redundant

    only to see if a port is listening or not. Or to manually send email using smtp... but that's about it.

  2. Feirsot post.. by Anonymous Coward · · Score: -1, Redundant
  3. don't be daft! ;) by Anonymous Coward · · Score: -1, Redundant

    They get posted when:
    Posted when:
    2-7 days after someone else posted it.
          or
    When the article is 6-9 months old.

    Posted how:
    With lots of typos
          or
    With wild inaccuracies