tag:blogger.com,1999:blog-16750015.post5225274945954520313..comments2024-01-24T20:01:37.600-05:00Comments on slight paranoia: Blogging Hiatus, New Travel BlogChristopher Soghoianhttp://www.blogger.com/profile/08950937382104783909noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-16750015.post-54697629601911844902009-02-13T11:24:00.000-05:002009-02-13T11:24:00.000-05:00interesting article, good read thanks. Lisa.interesting article, good read thanks.<BR/><BR/> Lisa.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-55441402936816540812007-05-11T14:21:00.000-04:002007-05-11T14:21:00.000-04:00First time communicating with you, but wanted to j...First time communicating with you, but wanted to just throw my two-cents onto the table about responsible disclosure. <BR/><BR/>When disclosing a vulnerability to a vendor it's best to either a) work through CERT, and/or b) propose a hard deadline during the first disclosure. <BR/><BR/>CERT has a hard deadline of disclosing the vulnerability 45-days after they are informed. <BR/>This is necessary as the vendor is economically motivated to keep the vulnerability secret forever, as the vulnerability costs the vendor [patchDevCost + (someFraction)*CustomersCost] where Customers are those who have the software installed. <BR/><BR/>The patchDevCost is the major portion of the total VulnCost until the Vulnerability has been made public. <BR/><BR/>A large company with a huge code-base(Microsoft for example) can reasonably develop, test, and release a patch within 1-2 weeks if necessary. 30-45 days is merely to allow typical patch cycles to complete, and/or for smaller organizations to develop the patch.<BR/><BR/>Working through an intermediary like CERT typically absolves you from any unfounded threats of liability. <BR/><BR/>cheers.aaronhttps://www.blogger.com/profile/04880560298321463299noreply@blogger.comtag:blogger.com,1999:blog-16750015.post-60880981232768544102007-05-08T15:09:00.000-04:002007-05-08T15:09:00.000-04:00One more reason why blogger sucks -- AFAICT you do...One more reason why blogger sucks -- AFAICT you don't have feeds for individual tags. If you did, you wouldn't need a separate blog, you could just ask readers to use one or the other tag.<BR/><BR/>Even if you aren't writing about your own activities, it would be nice if you could write about security once in a while.Arvind Narayananhttps://www.blogger.com/profile/02495762505427759752noreply@blogger.com