Re: full disclosure, or not?
On Sat, Jun 26, 2004 at 09:55:01PM +0200, Horst Pflugstaedt wrote:
>
> what would be the alternative?
> The security team would have to annonce "there's a possible security
> flaw in package XY, we're on it, but it may take some more days to fix
> it"
>
> What's the worth of such announcements? Users (You'd) know about a bug, but
> still could not do anything about it. After all, I'd strongly object
> to my web-host/ISP/Sys-Admin/... switching off
> apache/php/ssh/name-whatever-tool-you-really-need because they have heard of
> an yet unfixed security-problem.
As a sysadmin I'd like a heads up to know I have to keep my eyes peeled
more than usual for a certain duration. And I'd like to make the
decision of "taking down services" vs. "not taking them down, because
mission critical" myself on a case to case basis.
Keep me informed, and I'll be able to make informed decisions.
(Substitute "I" and "myself" up there with "relevant group of people for
this kind of decision-making" and "our network-using entity" up there :)
).
Regs,
Sven
--
---------------------Trigital-
Sven Riedel
. Tel: +49 511 1236364
. Fax: +49 511 1690746
. email: riedel@trigital.net
Reply to: