the underground software vulnerability marketplace and its hazards (fwd)
Ben Laurie
ben at algroup.co.uk
Thu Aug 22 11:41:50 PDT 2002
Adam Back wrote:
> I think HP were wrong, and find their actions in trying to use legal
> scare tactics reprehensible: they should either negotiate a price, or
> wait for the information to become generally available.
Amen.
Incidentally I was put under a lot of pressure when releasing the
OpenSSL advisory a few weeks ago to allow CERT to notify "vendors"
before going on general release. I have a big problem with this - who
decides who are "vendors", and how? And why should I abide by their
decision? Why should I pick CERT and not some other route to release the
information?
Also, if the "vendors" were playing the free software game properly,
they wouldn't _need_ advance notification - their customers would have
source, and could apply the patches, just like real humans.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
Available for contract work.
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the Testlist
mailing list