On Thu, 2002-01-17 at 17:56, Ben Collins wrote: > I think most people consider "hiding" as an intent to deceive, when it > comes to security issues (the context we are discussing). While a lot of > users might consider the timeframe between discovery and announcement as > "hiding", we have to make sure they understand that their best interests > are held, and that we are not trying to deceive anyone, and that the > timeframe is not a way to "hide" vulnerabilities, but a mechanism to be > sure they are protected, prior to public knowledge. This doesn't cut the cheese. If, say, ``vsftpd'' i bugged with a remote root exploit with no patch in sight then I want to know, so I can remove this application system. I you know of such a hole and you are not telling me, then you are hiding the problem from me. This simple and really can't be argued. There is a problem and your are not telling. Your motive may be good, but your action is "hiding the problem'' from me. Indeed, you are deceiving me. I believe there is nothing wrong with ``vsftpd'' and you are hiding from me the fact that it isn't. The minute security is notified of a hole the hiding starts, unless an announcement is sent out. -- Lars Bahner, http://lars.bahner.com/ Nihil est sine ratione cur potius sit, quam non sit.
Attachment:
pgpTsJLaPS06Z.pgp
Description: PGP signature