Vulnerability Disclosure Conference at Stanford

Jennifer Granick writes "Stanford Law School Center for Internet and Society, headed by Lawrence Lessig and Jennifer Granick, is hosting a day long conference on vulnerability disclosure on November 22, 2003. The point is to get all sorts of people interested in vulnerability disclosure in the same room to discuss the issues and to come up with a clear definition of the problems and the costs and benefits of various solutions. This conference is really a workshop, and security researchers, vendor security teams, and system administrators should all consider attending and participating. For more information: http://cyberlaw.stanford.edu/security/"

depends on the software.

[mrsev]

I dont think there is one correct answer. If it is for a browser vunrebility then fine total disclosure . If however you find a vunrebility in the net at your firebrigade call center then maybe not. It all depends on if the software is for public consumption. At the end of the day we need quick patches but not so quick that they are poorly designed.

net services disclosure remains a huge issue

[ubiquitin]

Here's a plausible scenario: Mr. RemainNameless stumbles across a major sql injection vulnerability while browsing a WidgetCompany's site. He realizes that WidgetCompany now has his originating IP# and ISP information in their web server log files and could track him down to accuse him of an attack on their server. What to do? If he comes forward, they can accuse of him of an attack. If he remains silent, the problem isn't fixed, and he might (especially if he is a security professional) be in trouble for not alerting anyone about this vulnerability, and there is record in the log files that he knew about it.

What's the best way to go about disclosing to a company that their network presence is vulnerable? What are the legal ramifications of doing so?