SI
SI
discoversearch

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor.  We ask that you disable ad blocking while on Silicon Investor in the best interests of our community.  If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.
Technology Stocks : How high will Microsoft fly? -- Ignore unavailable to you. Want to Upgrade?

To: dybdahl who wrote (66528)3/30/2002 8:33:44 AM
From: Jordan A. Sheridan  Read Replies (2) | Respond to of 74651
 
Dybdahl;

They are talking about the concept of what is responsible behavior by the people that find vulnerabilities. (i.e. If you report a vulnerability, what is the proper amount of time to allow the company to produce a fix or publicly acknowledge the problem before you make the vulnerability publicly known)

Regards;
Jordan



To: dybdahl who wrote (66528)3/30/2002 8:38:03 AM
From: Just_Observing  Read Replies (1) | Respond to of 74651
 
Re: but working on WHEN to report them

Yes, MSFT is working on that.

In Microsoft's view, the only prudent policy is to work with vendors and not disclose vulnerability information to the public until a patch is available - and then only to disclose enough information so that administrators can decide whether to apply the fix without being at risk if they don't.


newsbytes.com



To: dybdahl who wrote (66528)3/30/2002 11:32:24 AM
From: David Howe  Read Replies (1) | Respond to of 74651
 
<< but working on WHEN to report them seems quite untrustworthy to me. Does anybody on this thread know if this is true? >>

Of course it's true and of course there are circumstances where a security issue should be reported later rather than immediately.

If MSFT discovered a security hole in one of ORCL's programs they should report it to ORCL, not the general public. Then, ORCL should take a few days to develop a patch. Then, and only then should they report the problem to the general public. Why tell the hackers how to hack when there isn't a patch available. Delaying the report until the patch is available is the responsible thing to do.

Developing rules and guidelines for this type of thing is important and that is why they are working on it.

IMO,
Dave



To: dybdahl who wrote (66528)3/31/2002 6:55:07 PM
From: DiViT  Read Replies (1) | Respond to of 74651
 
The practice for Linux is to keep vulnerabilities quiet until the patch is ready.

Yet when Microsoft seeks the same treatment there is something suddenly untrustworthy about it.

See my November 2001 post.
#reply-16717062


HomeMailHotSubjectMarksPeopleMarksKeepersSettings
Terms Of UseContact UsCopyright/IP PolicyPrivacy PolicyAbout UsFAQAdvertise on SI
© 2026 Knight Sac Media.  Data provided by Twelve Data, Alpha Vantage, and CityFALCON News