Re: [pgsql-advocacy] MySQL worm attacks Windows servers

On 2/6/2005 4:31 PM, Greg Stark wrote:

> Jan Wieck <JanWieck(at)Yahoo(dot)com> writes:
>
>> No, Peter.
>>
>> Posting a vulnerability on a public mailing list "before" there is a known fix
>> for it means that you put everyone who has that vulnerability into jeopardy.
>> Vulnerabilities are a special breed of bugs and need to be exterminated a
>> little different.
>
> Many people disagree with this. Posting the vulnerability isn't what puts
> people into jeopardy, the presence of the vulnerability puts people in
> jeopardy. Posting it at least allows people to disable the feature or close
> off access. Or at least monitor for possible intrusions. Not posting it leaves
> people in jeopardy and in the dark about it.
>
> If you think you're the first one to find the vulnerability you're probably
> wrong. Often malicious hackers who search for vulnerabilities find them and
> keep them secret long before they're reported.
>
> How would you feel if your system was compromised and then you found out later
> that it was a known security hole in a feature you had no need for and the
> vulnerability had been kept secret?

It's interesting that everyone advocating for "immediate public report"
is allways talking about vulnerabilities that can be taken care of by
disabling some unused feature. What do you do if you find a
vulnerability in the text/varchar data type multibyte handling? Still
tell the world about it before having a fix?

Jan

--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#================================================== JanWieck(at)Yahoo(dot)com #