Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Draft on Vulnerability Disclosures

Posted by michael on from the end-information-anarchy dept.

Cowboy71 writes: "An interesting posting on Bugtraq by Stephen Christie announcing the release for comment of an internet-draft "Responsible Disclosure Process" document, prepared by himself and Chris Wysopal of @stake. You can view the full paper at the IETF site."

5 of 114 comments (clear)

  1. Re:The Greatest Troll Ever? by Anonymous Coward · · Score: -1, Troll

    Proof that trolling is dead. I thought that the low point would be random number crapflooding. I thought there is no way we could sink lower. But now, the last dredges of originality are gone. Fuck you, and farewell. Adequacy beckons.

  2. Protecting turf. by another-sheep · · Score: 1, Troll

    It is interesting that Chris is in favor of controlling full disclosure. I don't see how he can be objective, since @stake is one of a handfull of security product vendors that is now in bed with Microsoft. They want to limit the accessibility of inforomation to a select few and increase the time limit before the disclosures are made publice. This works well for them as they can then sell themselves as a one of the select few in the know, besides the person who really discovered the vulnerability and released it into the wild. What a bunch of hypocrites.

  3. asdasd by Anonymous Coward · · Score: -1, Troll

    I've been going through it, and I can't seem to find any points on which this differs from the existing full disclosure model that most of the security community already follows.
    There are, of course, people who discover vulnerabilities and immediately publish all the details without notifying the vendor, but an RFC is hardly going to stop.

    All the same, guidelines are nice. I'm a little skeptical of vendors sticking to the suggestions. To many SHOULDs and MAYs.

    To recap, the proposed RFC suggests 7 stages in fixing a vulnerability:
    1. Latent flaw. The flaw exists undiscovered.
    2. Discovery. Somebody finds the flaw (the 'Reporter').
    3. Notification. The Reporter notifies the Vendor.
    4. Validation. The vendor verifies the flaw.
    5. Resolution. The vendor fixes the flaw.
    6. Release. The vendor publishes the flaw.
    7. Follow-up. Analysis of the resolution.

    What a nice world this would be.

    It usually works like that right up until step 5. Here's what really happens:
    5. Denial. The vendor denies the flaw really exists, setting his best PR guys on the job.
    6. Demonstration. The Reporter creates exploit code to prove to the vendor that not only does it exist, but it is serious and should be fixed.
    7. Diversion. The Vendor changes the subject by publicly attacking the Reporter for creating the demonstration, labeling it a "Hacker Tool".
    8. Publication. Third party bug tracking systems and security entities make knowledge of the vulnerability widespread to try to scare the Vendor's customers.
    9. Fix. The Vendor repairs the vulnerability, while still denying that it has any real significance.
    10. Release. The Vendor shuffles the release into a service pack or update, and puts it on his web site.

    [ Reply to This | Parent ]

    The Greatest Troll Ever? (Score:1, Offtopic)
    by Anonymous Coward on Thursday February 21, @06:01AM (#3043884)
    The last few months I have been doing some research into the trolling phenomenon on slashdot.org. In order to do this as thoroughly as possible, I have written both normal and troll posts, 1st posts, etc., both logged in and anonymously, and I have found these rather shocking results:

    More moderator points are being used to mod posts down than up. Furthermore, when modding a post up, every moderator seems to follow previous moderators in their choices, even when it's not a particularly interesting or clever post [slashdot.org] [slashdot.org]. There are a LOT more +5 posts than +3 or +4.

    Logged in people are modded down faster than anonymous cowards. Presumably these Nazi Moderators think it's more important to burn a user's existing karma, to silence that individual for the future, than to use the moderation system for what it's meant for : identifying "good" and "bad" posts (Notice how nearly all oppressive governments in the past and present do the same thing : marking individuals as bad and untrustworthy because they have conflicting opinions, instead of engaging in a public discussion about these opinions)

    Once you have a karma of -4 or -5, your posts have a score of -1 by default. When this is the case, no-one bothers to mod you down anymore. This means a logged in user can keep on trolling as much as he (or she) likes, without risking a ban to post on slashdot. When trolling as an anonymous user, every post starts at score 0, and you will be modded down to -1 ON EVERY POST. When you are modded down a certain number of times in 24 hour, you cannot post anymore from your current IP for a day or so. So, for successful trolling, ALWAYS log in.

    A lot of the modded down posts are actually quite clever [slashdot.org] [slashdot.org], funny [slashdot.org] [slashdot.org], etc., and they are only modded down because they are offtopic. Now, on a news site like slashdot, where the number of different topics of discussion can be counted on 1 hand, I must say I quite like the distraction these posts offer. But no, when the topic is yet another minor version change of the Linux kernel [slashdot.org] [slashdot.org], they only expect ooohs and aaahs about this great feat of engineering. Look at the moderation done in this thread [slashdot.org] [slashdot.org] to see what I mean.

    Digging deep into the history of slashdot, I found this poll [slashdot.org] [slashdot.org], which clearly indicates the vast majority does NOT want the moderation we have here today. 'nuff said.
    Feel free to use this information to your advantage. I thank you for your time.

    This troll was reposted from the Troll Library without permission of the original author. If you object to this post, or if you wish to add your troll to the Troll Library, please reply to this message.

    [ Reply to This | Parent ]

    5 replies beneath your current threshold.

  4. Stephen King, author, dead at 54 by Anonymous Coward · · Score: -1, Troll


    I just heard some sad news on talk radio - Horror/Sci Fi writer Stephen King was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.

  5. Re:Paralles to journalism and koruption by Tony-A · · Score: 1, Troll

    If you actually want software to be secure.
    1. Publish the exploit. Get it loose in the wild.
    2. Publish the fix or workaround, if there is one.
    3. Inform the vendor.

    Brutal, but anything less becomes a mess of how long the vendor can delay doing anything about it.