Comments on: Security Fixation http://spiresecurity.com/?p=334 Risk and Cybersecurity Analysis Wed, 21 Aug 2013 23:28:51 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Andy http://spiresecurity.com/?p=334&cpage=1#comment-482 Andy Tue, 20 Mar 2007 02:57:46 +0000 http://spiresecurity.com/blog/?p=334#comment-482 I’m coming very late to this debate. Sorry about that.

As should be clear – security vulnerabilities are different than other product defects. A faulty brake system on a truck is a vulnerability, but it isn’t something that generally people will try to exploit for their gain.

The same can not be said for other technologies.

Were pinto owners angry when people tried to show how easily they blow up. yes, but it was because of a loss of resale value and fear for their own safety in regular circumstances, not because they feared intentional rear-ending that would cause them to burst into flames.

The same isn’t true for security vulnerabilities. People do attempt to exploit them, with a notable increase in issues as a result of disclosure.

]]> By: Chris Wysopal http://spiresecurity.com/?p=334&cpage=1#comment-481 Chris Wysopal Wed, 28 Feb 2007 00:27:38 +0000 http://spiresecurity.com/blog/?p=334#comment-481 Pete,
Your ideas of requiring a positive cost-benefit equation or a significance requirement are nice in theory but not in the real world. Who would enforce this? How would significance be defined? You have to allow for insignificant disclosures or you have to ban all disclosure. To not be able to describe any vulnerabilities or any attack techniques keeps the field of security from advancing.

I’m all for delaying the release of detailed vulnerability information until people have a chance to patch because a timeline can be defined. Cost-benefit equations and significance cannot. If you have ideas how I would like to hear them.

-Chris

]]>