Internet Draft on Vulnerability Disclosures

Cowboy71 writes: "An interesting posting on Bugtraq by Stephen Christie announcing the release for comment of an internet-draft "Responsible Disclosure Process" document, prepared by himself and Chris Wysopal of @stake. You can view the full paper at the IETF site."

Re:Anything new?

[jsmyth]

5. Denial. The vendor denies the flaw really exists, setting his best PR guys on the job.
6. Demonstration. The Reporter creates exploit code to prove to the vendor that not only does it exist, but it is serious and should be fixed.

7. Vendor hires a DMCA lawyer to sue the pants off the reporter for exploiting vendor's product
8. Government incarcerates random employee of reporter's organisation who just happens to be in the country at the time.
9. Vendor retracts suit.
10. Government continues to incarcerate random employee, sticking tongue out at the rest of the world in the process.

I give up.