Quotes of the week [LWN.net]

Quotes of the week

Posted Jul 25, 2008 15:45 UTC (Fri) by zooko (subscriber, #2589)
Parent article: Quotes of the week

I did read the whole thing and it was well worth it for the analysis of the history of a
specific security flaw and its patches.

(Log in to post comments)

Quotes of the week

Posted Jul 28, 2008 3:57 UTC (Mon) by JoeBuck (subscriber, #2330) [Link]

Viro makes an interesting charge:

Going to vendor-sec is a mistake I won't repeat any time soon and I would strongly recommend everybody else to stay the hell away from that morass. It creates inexcusable delays, bounds you to confidentiality and, let's face it, happens to be the prime infiltration target for zero-day exploit traders.

Quotes of the week

Posted Jul 29, 2008 2:39 UTC (Tue) by roelofs (guest, #2599) [Link]

Viro makes an interesting charge:

Going to vendor-sec is a mistake I won't repeat any time soon and I would strongly recommend everybody else to stay the hell away from that morass. It creates inexcusable delays, bounds you to confidentiality and, let's face it, happens to be the prime infiltration target for zero-day exploit traders.

Which part do you see as the charge, or do you mean the whole thing? It certainly creates delays, but I don't think that's a surprise to any of us. It's also unquestionably a prime infiltration target, but that doesn't imply anyone has yet succeeded in doing so; we ("most of us") simply don't know. Finally, he claims vendor-sec binds you to confidentiality, but that's only if you (and/or your employer) allow it; you (or your employer) can also choose to contact them in write-only fashion, provide a disclosure date, and leave it at that. Without a written and mutually-agreed-to contract, what obligation do you have beyond those of basic courtesy/altruism/etc.? IANAL, but I don't think shrinkwrap provisions would have legal force even if they attempted it, and AFAIK, they haven't attempted it.

Greg