| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: coley at linus.mitre.org (Steven M. Christey) Subject: Re: it's all about timing Georgi Guninski said: >What scares me is that the "Responsible Disclosure" FUD continues. On >bugtraq people write that CERT and SecurtyFocus are "established >parties" and everyone who does not give them their 0days is >irresponsible... I personally won't give them my 0days early. A number of people thought that the disclosure process draft placed too much of an emphasis on using third parties. That will be weakened to a suggestion in the next version. The Coordinator role, as described in the process draft, does not need to be restricted to parties such as SecurityFocus and CERT/CC. For example, just this year, w00w00 has taken on the Coordinator role in the disclosure of an AIM vulnerability and an IE/Office vulnerability. http://marc.theaimsgroup.com/?l=bugtraq&m=101897994314015&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=102071080509955&w=2 >The "Responsible Disclosure" draft continues to get advertised, though >it was not approved by IETF. A minor clarification: while it was the subject of lively debate on the IETF Security Area Advisory Group (SAAG) mailing list, the SAAG did not think it was appropriate to pursue a document that dealt with procedures as opposed to networking protocols. So, it was not approved because the topic was outside the scope of the IETF. Other organizations have expressed support for developing the responsible disclosure concept (with some changes to the current draft), but they aren't set up for public feedback and/or document ownership like the IETF is. - Steve
Powered by blists - more mailing lists