[VIM] Dana Epp on responsible disclosure and VDB's

security curmudgeon jericho at attrition.org
Tue Aug 23 17:36:46 EDT 2005


: A recent blog entry by Dana Epp calls SecurityFocus to task for
: publishing a BID on a third party researcher's report of a buffer
: overflow that had not been coordinated with the vendor:
: 
:   Please act more responsibly "AT ma CA". And you too Symantec (the
:   owners of Security Focus). You aren't helping the industry when you
:   do this. You hurt it.
: 
:   http://silverstr.ufies.org/blog/archives/000849.html
: 
: Given the growing frequency of these kinds of complaints, it feels like 
: vuln DB's are going to be visibly targeted one of these days.

Interesting! I noticed you posted after I submitted my own:

"It took me less than a minute to see that v2.93 just came out and that 
there was no way that responsible disclosure was used in relation to this 
advisory."

Ok, how long did it take you to check the disclosure for the other dozen 
vulnerabilities released that day? How about the days when we see as many 
as 100 vulnerabilities released? Does it matter that SecurityFocus posted 
it 24 hours after other security sites did, and posted it likely knowing 
that it was already public?

You should also correct the version number above, as 9.23 was affected, 
not 2.93. If you ran a database, some folks may complain about the 
inaccurate information you provide as well.

Posted by: security curmudgeon at August 23, 2005 02:30 PM 


More information about the VIM mailing list