Plenty of Vulnerabilities to go Around
January 15, 2010
Evgeny Legerov, founder of Intevydis plans to release a list of vulnerabilities and working exploits in a number of commercial software products. According to the report on Krebs on Security, the list includes Web servers such as Zeus Web Server, and Sun Web Server.
At issue is the pesky ethical and practical question of whether airing a software vendor's dirty laundry (the un-patched security flaws that they know about but haven't fixed yet) forces the affected vendor to fix the problem faster than it would have had the problem remained a relative secret. There are plenty of examples that show this so-called "full disclosure" approach does in fact prompt vendors to issue patches faster than when privately notified by the researcher and permitted to research and fix the problem on their own schedule. But in this case, Legerov said he has had no contact with the vendors, save for Zeus.com, which he said is likely to ship an update to fix the bug on the day he details the flaw.