Jussi Laako said:
Rune Kristian Viken wrote:
vulnerability. The only responsible thing to do, is to publish the exploit to as many security-mailinglists as possible, and let admins disable the buggy service.
After that it's race against time from sysadmin's point of view. Is admin fast enough to disable that service before someone breaks in? If only few peoples know about security vulnerability it's less likely that someone uses it in your system. If every script kiddie knows about it, then it's much more likely...
How many people sit 24/7 reading security mailinglists?
No SA worth the title would need to take that much time to keep up. Besides, that's like asking, "what if the night-watchman falls asleep?".
What if sysadmin is at weekend trip with his sailing boat?
If the night-watchman takes the weekend off then you get someone to take his place. Or you do without, make sure you lock the doors as best you can, and take your chances.