Comments on: Danged if you disclose; danged if you don’t. http://blogs.windowsecurity.com/troutman/2006/05/29/danged-if-you-disclose-danged-if-you-dont/ The Justin Troutman blog focuses on happenings in the cryptographic community, general computer security and the politics that affect it all. Cryptographic coverage includes the latest cryptanalysis of block ciphers and hash functions to the use of cryptography in a malicious context, such as cryptoviral information extortion. General computer security concerns are discussed, such as the place of encryption within a security policy, and topics such as the legal ramifications of full disclosure are featured Sun, 23 Nov 2008 10:20:28 +0000 http://wordpress.org/?v=MU by: Adam Holthouse http://blogs.windowsecurity.com/troutman/2006/05/29/danged-if-you-disclose-danged-if-you-dont/#comment-110 Wed, 26 Jul 2006 07:11:45 +0000 http://blogs.windowsecurity.com/troutman/2006/05/29/danged-if-you-disclose-danged-if-you-dont/#comment-110 Previously a vunrability was discovered on my old companies financial web app, running on siebel framework with an oracle backend. It seemed that a backdoor style administrators login was obtainable just through the viewing of the login screens source code (what a joke right). Anyway, it was disclosed to myself (at that time on the helpdesk) and forwarded to our developers. Of course they were upset at the fact that potentially customers data could have been comprimised by the fact that this person tested the actually vunribility before letting us know, but more important in everyones eyes was the fact that it was disclosed to us. In short I totally agree with you, for the improvement of security in all forms, there needs to be an understanding that the disclosure of such information is a great benifit and not all use it for the wrong reasons. Previously a vunrability was discovered on my old companies financial web app, running on siebel framework with an oracle backend. It seemed that a backdoor style administrators login was obtainable just through the viewing of the login screens source code (what a joke right). Anyway, it was disclosed to myself (at that time on the helpdesk) and forwarded to our developers. Of course they were upset at the fact that potentially customers data could have been comprimised by the fact that this person tested the actually vunribility before letting us know, but more important in everyones eyes was the fact that it was disclosed to us.

In short I totally agree with you, for the improvement of security in all forms, there needs to be an understanding that the disclosure of such information is a great benifit and not all use it for the wrong reasons.

]]>