lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: ericv at cruzio.com (Eric N. Valor)
Subject: it's all about timing

I believe, depending on severity of the vulnerability, that one week should 
be sufficient for at least vendor response prior to publically leaking 
information about said vulnerability.  This does not mean releasing exploit 
code, only general information about the vuln so that educated readers can 
understand what's going on.

If no vendor responses occur, then release of information should occur.  If 
there is vendor response indicating an attempt to work the issue, then more 
time should of course be given (again, depending on severity of the issue).

Holes in this would include exactly *how* the vendor was contacted 
(midnight messages left in the general company voicemail don't count, etc.) 
and whether any follow-up attempts were made.  Also, a vanilla vendor 
response to the effect of "Thank you for the information.  We'll look into 
it.  Don't call us, we'll call you" is an effective NOOP.

Are we enough of an ad-hoc "authority" to attempt to determine a proper 
course of action for these instances?  Codifying this (even if it's just a 
"gentlemen's agreement") would most definitely be A Good Thing.
-- 
Eric N. Valor
ericv@...zio.com
PGP Key 2048/1024 227B04CB
Key Fingerprint = 766C CA15 0FFF E54B 2FEE  C7D7 0F87 3AFB 227B 04CB

: This Space Intentionally Left Blank :

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ