[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0207312228340.9535-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: A two way street: Re: It takes two to tango Re:
OT: Snosoft vs HP
It would seem that if vendors were to be fair about disclosure issues,
that they would recognise that security as far as the triad
researchers/vendors/customer relationships are at least a two way street,
if not a three way intersections of responsibility and cooperation. Note
that all the pressure on the disclosure paradym has been on the reseach
community. Researchers have been called to task to act responsibly, and
to cooperate with vendors, often to the disadvantage of not only the
researchers, but, to the customerbase of the vendors who clothe themselves
in non-responsibility disclamers on their products.
Which vendors to date have adpoted any standard of a respoonsible
relationship with rthe researchers and their customerbase such that;
1> they setup and actively monitor a account for vulnerability
information on their products from the research community.
2> after working quickly with researchers to determine the validity of
the vulnerabilities that have discovered, then release, on their own, to
their cusomters, or better yet openly in public lists as these, the
information of threats people are subject to due to the problems the
researchers have identified. A full vendor responsibility disclosure
policy if you will, giving proper credit to the researcher<s> who
discovered the vulnerability. Hell, it allows someone to go out and
writeup an vendors discluoser compliance RFC and all too.
This would give the researchers the proper credit they deserve, make the
vendors appear to be on the up and up with those reseachers and their
customer base. A fair tradeoff of responsibility on both sides of the
coin and a decent situation for customers now feeling that their vendors
might well have their best interests at heart. It makes the researchers
feel better about a responsible disclosure policy as they get not only
credit, but the sense that the vendors are paying attention and to
security and the need to improve their products, while putting them <the
vendors> under the gun of responsibilty to some sense thaat they have so
far escaped in the real world.
So, now, which vendors are up to the challenge?
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists