Comments on: Marketing for security companies now via Secunia! http://blog.assarbad.net/20061119/marketing-for-security-companies-now-via-secunia/ Programming, reverse engineering and anything else as well ... Sat, 11 Oct 2008 19:36:44 +0000 http://wordpress.org/?v=2.3.3 By: Oliver http://blog.assarbad.net/20061119/marketing-for-security-companies-now-via-secunia/#comment-36003 Oliver Tue, 11 Mar 2008 01:12:43 +0000 http://blog.assarbad.net/20061119/marketing-for-security-companies-now-via-secunia/#comment-36003 Very good question. I am sure it will be possible to find a modus operandi. However, this method sounds more like blackmail: <blockquote>We know there is a vulnerability and we'll tell everyone in a very abstract way that there is one - however, we'll only disclose details if you pay us.</blockquote> Basically it is a service no one asked you to do, so the question who has to pay and why is a very good question indeed. However, I see that there is another problem. That is, that many vendors don't consider security holes a threat. Either it results in a very relaxed handling of such vulnerabilities, the bugs being ignored or the PR department "trying to contain" the damage. // Oliver Very good question. I am sure it will be possible to find a modus operandi. However, this method sounds more like blackmail:

We know there is a vulnerability and we’ll tell everyone in a very abstract way that there is one - however, we’ll only disclose details if you pay us.

Basically it is a service no one asked you to do, so the question who has to pay and why is a very good question indeed.

However, I see that there is another problem. That is, that many vendors don’t consider security holes a threat. Either it results in a very relaxed handling of such vulnerabilities, the bugs being ignored or the PR department “trying to contain” the damage.

// Oliver

]]> By: van http://blog.assarbad.net/20061119/marketing-for-security-companies-now-via-secunia/#comment-35997 van Tue, 11 Mar 2008 00:58:06 +0000 http://blog.assarbad.net/20061119/marketing-for-security-companies-now-via-secunia/#comment-35997 well, Discovering bugs is tedious. Who will pay for if we accept the full-disclosure policy? well,
Discovering bugs is tedious. Who will pay for if we accept the full-disclosure policy?

]]> By: reyortsed http://blog.assarbad.net/20061119/marketing-for-security-companies-now-via-secunia/#comment-84 reyortsed Mon, 20 Nov 2006 12:19:50 +0000 http://blog.assarbad.net/20061119/marketing-for-security-companies-now-via-secunia/#comment-84 Nice one Secunia. Lets just report the world as a bug? I can see it now... "GLEG have discovered an potential undefined bug in an unknown software by an unknown company that could potentially be used to comprimise the system in an unspecified way" Solution: "Build a time machine, go back in time and prevent software and computers from EVER being invented"... I agree with the author of this blog, this is insane... that you seem to have to buy their software to get the info... as the author says full disclosure is FULL disclosure... come on Secunia, wipe that crap of your site!!! Nice one Secunia. Lets just report the world as a bug?

I can see it now…

“GLEG have discovered an potential undefined bug in an unknown software by an unknown company that could potentially be used to comprimise the system in an unspecified way”

Solution: “Build a time machine, go back in time and prevent software and computers from EVER being invented”…

I agree with the author of this blog, this is insane… that you seem to have to buy their software to get the info… as the author says full disclosure is FULL disclosure… come on Secunia, wipe that crap of your site!!!

]]>