Internet Draft on Vulnerability Disclosures

Cowboy71 writes: "An interesting posting on Bugtraq by Stephen Christie announcing the release for comment of an internet-draft "Responsible Disclosure Process" document, prepared by himself and Chris Wysopal of @stake. You can view the full paper at the IETF site."

Re:@Stake = Sellout

[asmithmd1]

Go ahead and read the document before posting
3.7.1 Vendor Responsibilities

1) The Vendor SHOULD work with the Reporter and involved Coordinators
to arrange a date after which the vulnerability information may be
released.

2) The Vendor MAY ask the Reporter and Coordinator to allow a "Grace
Period" up to 30 days, during which the Reporter and Coordinator do
not release details of the vulnerability that could make it easier
for hackers to create exploit programs.

Re:@Stake = Sellout

[Raleel]

Apparently you did not read the draft (which I just did)

(from the draft)
3.6.2 Reporter Responsibilities

1) The Reporter SHOULD recognize that it may be difficult for a
Vendor to resolve a vulnerability within 30 days if (1) the problem
is related to insecure design, (2) the Vendor has a diverse set of
hardware, operating systems, and/or product versions to support, or
(3) the Vendor is not skilled in security.

2) The Reporter SHOULD grant time extensions to the Vendor if the
Vendor is acting in good faith to resolve the vulnerability.

3) If the Vendor is unresponsive or uncooperative, or a dispute
arises, then the Reporter SHOULD work with a Coordinator to identify
the best available resolution for the vulnerability.

and

3.7.1 Vendor Responsibilities

1) The Vendor SHOULD work with the Reporter and involved Coordinators
to arrange a date after which the vulnerability information may be
released.

2) The Vendor MAY ask the Reporter and Coordinator to allow a "Grace
Period" up to 30 days, during which the Reporter and Coordinator do
not release details of the vulnerability that could make it easier
for hackers to create exploit programs.