Dave writes:

you shouldn’t report security vulnerabilities by exploiting them on a mass scale, if you’re a professional.

What Mark did was a demonstration of an exploit, not an actual exploit. He gave us a vivid example of exactly what could happen without actually doing anything harmful.

People publish demonstrations because software vendors have historically ignore private warnings. A demonstration makes it clear to the vendor and the users what the flaw enables. The users see the flaw and pressure the vendor to fix the software.

Without the demonstration, there is no pressure from the users, and the software is rarely fixed.

Even the “white hats” in the security industry recognise this simple principle. They’ve tried various times to come up with a solution that would allow the vendors to save face and users to have their software fixed, but every effort has failed. It seems that the vendors can’t help themselves.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.