From owner-freebsd-security  Tue Apr 10 21:33:38 2001
Delivered-To: freebsd-security@freebsd.org
Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197])
	by hub.freebsd.org (Postfix) with ESMTP
	id B108637B422; Tue, 10 Apr 2001 21:33:35 -0700 (PDT)
	(envelope-from christopher@schulte.org)
Received: from TARMAP.schulte.org (tarmap.schulte.org [209.134.156.198])
	by poontang.schulte.org (8.12.0.Beta5/8.12.0.Beta5) with ESMTP id f3B4XXIr001152;
	Tue, 10 Apr 2001 23:33:34 -0500 (CDT)
Message-Id: <5.1.0.12.0.20010410232348.00ac7870@pop.schulte.org>
X-Sender: schulte@pop.schulte.org
X-Mailer: QUALCOMM Windows Eudora Version 5.1.0.12 (Beta)
Date: Tue, 10 Apr 2001 23:32:53 -0500
To: "Crist Clark" <crist.clark@globalstar.com>,
	Nicole Harrington <nmh@daemontech.com>
From: Christopher Schulte <christopher@schulte.org>
Subject: Re: Security Announcements?
Cc: Ben Smithurst <ben@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG,
	Michael Bryan <fbsd-secure@ursine.com>,
	Michael Nottebrock <michaelnottebrock@gmx.net>
In-Reply-To: <3AD39518.CFE8CB46@globalstar.com>
References: <XFMail.010410154347.nmh@daemontech.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 04:19 PM 4/10/2001 -0700, Crist Clark wrote:
>A classic debate/flamewar, should the vendor notify before the fix
>is available? Been discussed to death a zillion times, and I will not
>start it again, but most vendors (Sun, Cisco, Microsoft) do not release
>notices until a solution is available. In extreme cases, a notice /may/
>be put out if the vulnerability is publically disclosed, very serious,
>and some workaround is available.

In the case of an internal audit finding a new vulnerability or bug for 
which a fix is not available and knowledge of bug not believed to be 'in 
the wild', full public disclosure can be both inappropriate and harmful.

In the case of a publicly available bug (ftpd, ntpd, bind, foo), timely 
notification is critical.  Even if no workarounds or fixes are 
included.  My posts here are directed solely toward publicly aware bugs.

>--
>Crist J. Clark                                Network Security Engineer
>crist.clark@globalstar.com                    Globalstar, L.P.
>(408) 933-4387                                FAX: (408) 933-4926

--chris


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message