R: [Full-Disclosure] [Secure Network Operations, Inc.]FullDisclosure != Exploit Release
andrea.vecchio at bsc.it
Wed Jan 29 17:58:41 GMT 2003
> Da: full-disclosure-admin at lists.netsys.com
> Good points,
> One question remains however. If we are to attach
> exploit code to our
> advisories, how do we protect the innocent from attacks by malicious
> people using our exploit code? I honestly believe that exploits are
> digital munitions that should be distributed under
> restrictions. Do you
> agree that a vulnerability can be clearly demonstrated in an
> advisory by
> showing debugger output and explaining the output? If proof of concept
> code needs to be made, it could be generated from the detail in the
> advisory. Why is that not a solution?
Sorry, but I think that full disclosure, by definition, is
telling something without careing a think about consequences.
I'm not telling whether it's right or not, but so it is.
If we believe in full disclosure (as i do) we have (silently)
accepted that what we're saying can be used in different ways.
"full disclosure" != "exploit release", but
"exploit release" C "full disclosure"
( C -> belongs to :)
Full-Disclosure is hosted and sponsored by Secunia.