the underground software vulnerability marketplace and its hazards (fwd)

Ben Laurie ben at algroup.co.uk
Thu Aug 22 14:41:50 EDT 2002


Adam Back wrote:
> I think HP were wrong, and find their actions in trying to use legal
> scare tactics reprehensible: they should either negotiate a price, or
> wait for the information to become generally available.

Amen.

Incidentally I was put under a lot of pressure when releasing the 
OpenSSL advisory a few weeks ago to allow CERT to notify "vendors" 
before going on general release. I have a big problem with this - who 
decides who are "vendors", and how? And why should I abide by their 
decision? Why should I pick CERT and not some other route to release the 
information?

Also, if the "vendors" were playing the free software game properly, 
they wouldn't _need_ advance notification - their customers would have 
source, and could apply the patches, just like real humans.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

Available for contract work.

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list