Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Draft on Vulnerability Disclosures

Posted by michael on from the end-information-anarchy dept.

Cowboy71 writes: "An interesting posting on Bugtraq by Stephen Christie announcing the release for comment of an internet-draft "Responsible Disclosure Process" document, prepared by himself and Chris Wysopal of @stake. You can view the full paper at the IETF site."

2 of 114 comments (clear)

  1. Alan Cox / DMCA / Open Source "vendors" by jsmyth · · Score: 4, Interesting

    OK, I've made an attempt to read the document critically. It reminded me of some of its more obvious failings though:

    • Not all "vendors" can be bound by the obligations of either fixing a "flaw" or explaining why the flaw can't be fixed
    • In open source projects, the documentation on "flaws" is often included in the TODO file, which counteracts a large amount of what this document is trying to acheive
    • We still have the open sore of the DMCA to worry about, regarding the release of information that could be used to exploit or reverse engineer communications or data, e.g. Alan Cox's public refusal to document some of the kernel security stuff

    I have to admit that it's a good general solution for presentation to and ratification by the Microsofts of this world - companies for whom marketing departments have more control over release dates than systems engineering or test departments...

    ...but these are the very companies that are LEAST likely to pay attention to the words of the technological minority, in favour of placating the fickle majority. Anyone else see a problem here??

    --
    jer

    We may be human, but we're still animals
    - Steve Vai
  2. Required exceptions to non-disclosure pending fix by Zocalo · · Score: 5, Interesting
    I'm all for vendors of software (any vendor, be it Microsoft about the latest IE exploit or ISC about a hole in BIND) to keep a show stopper under their hat while they try and fix it. Provided that there is no evidence that the Blackhat crowd knows about the problem, but there needs to be constraints - 30 days seems about right. This *has* to become null and void as soon as the problem is exploited though; at least that way the people who care about security can take steps to prevent abuse.

    I've seen a site well and truly compromised because frickin' Microsoft sat on a bug long after the Blackhat's had an exploit. It only took two days before their entire DMZ was rooted and credit card details stolen, and the stupid thing was, if the site had known that there was a problem they could have worked around it and avoid the legal mess they got into and are still in.

    The only saving grace is that this probably won't happen to them again; they are now an ex-customer of Microsoft's and running Apache instead. True, Apache has its own problems, but at least they give you a chance to prevent any issues arising if you care to do so.

    PS. Can I interest anyone in 40 used copies of NT Server? Thought not.

    --
    UNIX? They're not even circumcised! Savages!