| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.GSO.4.43.0207312228340.9535-100000@tundra.winternet.com> From: dufresne at winternet.com (Ron DuFresne) Subject: A two way street: Re: It takes two to tango Re: OT: Snosoft vs HP It would seem that if vendors were to be fair about disclosure issues, that they would recognise that security as far as the triad researchers/vendors/customer relationships are at least a two way street, if not a three way intersections of responsibility and cooperation. Note that all the pressure on the disclosure paradym has been on the reseach community. Researchers have been called to task to act responsibly, and to cooperate with vendors, often to the disadvantage of not only the researchers, but, to the customerbase of the vendors who clothe themselves in non-responsibility disclamers on their products. Which vendors to date have adpoted any standard of a respoonsible relationship with rthe researchers and their customerbase such that; 1> they setup and actively monitor a account for vulnerability information on their products from the research community. 2> after working quickly with researchers to determine the validity of the vulnerabilities that have discovered, then release, on their own, to their cusomters, or better yet openly in public lists as these, the information of threats people are subject to due to the problems the researchers have identified. A full vendor responsibility disclosure policy if you will, giving proper credit to the researcher<s> who discovered the vulnerability. Hell, it allows someone to go out and writeup an vendors discluoser compliance RFC and all too. This would give the researchers the proper credit they deserve, make the vendors appear to be on the up and up with those reseachers and their customer base. A fair tradeoff of responsibility on both sides of the coin and a decent situation for customers now feeling that their vendors might well have their best interests at heart. It makes the researchers feel better about a responsible disclosure policy as they get not only credit, but the sense that the vendors are paying attention and to security and the need to improve their products, while putting them <the vendors> under the gun of responsibilty to some sense thaat they have so far escaped in the real world. So, now, which vendors are up to the challenge? Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists