encrypted tapes

Florian Weimer fw at deneb.enyo.de
Thu Jun 9 09:53:57 EDT 2005


>    - you must prove it before you can report it

I don't think this is a good policy in general.  Often, it's more
cost-effective to fix a potential vulnerability than to investigate it
in detail, construct a proof that it's real, and fix it.  This is
especially true in environments where changes can be deployed at
moderate cost.  (I know that there are others.)

To sum it up, I think it's fine to report potential problems as well,
but they have to be labeled as such (so that they receive the right
priority).

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list