Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Draft on Vulnerability Disclosures

Posted by michael on from the end-information-anarchy dept.

Cowboy71 writes: "An interesting posting on Bugtraq by Stephen Christie announcing the release for comment of an internet-draft "Responsible Disclosure Process" document, prepared by himself and Chris Wysopal of @stake. You can view the full paper at the IETF site."

2 of 114 comments (clear)

  1. Protecting turf. by another-sheep · · Score: 1, Troll

    It is interesting that Chris is in favor of controlling full disclosure. I don't see how he can be objective, since @stake is one of a handfull of security product vendors that is now in bed with Microsoft. They want to limit the accessibility of inforomation to a select few and increase the time limit before the disclosures are made publice. This works well for them as they can then sell themselves as a one of the select few in the know, besides the person who really discovered the vulnerability and released it into the wild. What a bunch of hypocrites.

  2. Re:Paralles to journalism and koruption by Tony-A · · Score: 1, Troll

    If you actually want software to be secure.
    1. Publish the exploit. Get it loose in the wild.
    2. Publish the fix or workaround, if there is one.
    3. Inform the vendor.

    Brutal, but anything less becomes a mess of how long the vendor can delay doing anything about it.