RE: [WEB SECURITY] Oracle in war of words with security researcher

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> So the greater good is to keep us all in the dark because some are
incompetent?  

The short answer is, yes.  The long answer is that it all depends on the
particular circumstances.  With any public release there is generally an
event that makes placing all the information in the public domain the
best option.  Ideally this is the release of a working manufacturers
patch.  However, it may not be.  It might be an independent discovery,
leading to real world exploitation.  When this happens, it is often the
case that getting the information out early and publicly will help the
competent admins protect themselves, whilst the others are blissfully
unaware that anything is even wrong.  If the vulnerability isn't already
in the public domain, then putting it there *is* the event that changes
the risk profile.  

We currently have a backlog of several hundred individual
vulnerabilities.  The current plan is to wait until the vendors have a
working fix; if the situation changes, then we will review it.

I don't think that you have made a convincing argument that simply
putting these in the public domain tomorrow and letting people sort it
out amongst themselves would be in any of my client's best interests,
let alone for the general greater good.

Martin...



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/