lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <3D591CF3.6000901@guninski.com> From: guninski at guninski.com (Georgi Guninski) Subject: Re: The Large-Scale Threat of Bad Data in DNS FORENSICS.ORG Security Coordinator wrote: > On a related subject, everyone involved in the process of computer security > vulnerability discovery, disclosure, and software bug fixes should take a > moment to familiarize themselves with the internet draft of the Responsible > Vulnerability Disclosure Process, and in particular note the important role > of a third-party "coordinator" in cases where any party involved in the > process needs help communicating with any other party to ensure proper > handling and comprehensive understanding of complex technical materials: > > http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-0 > 0.txt > > Most vulnerability disclosures occur today without comprehensive > cross-vendor research facilitated by a coordinator. Our group of forensic > experts makes its members available to function as Security Coordinators to > any party who needs this type of technical assistance. > I am getting tired with speculations about this draft which the IETF did not approve. So in the case with DNS browser fun, Microsoft denied this to be a problem, so some good coordinator should try to convince them that this is really a bug and they should be so kind to fix it, or am I missing something? Or is the idea the coordinator to sell the info early? What about the following: me becoming the personal coordinator of forensics.org (without any obligations on my part, of course), i.e. whenever forencics.org becomes aware of a 0day, they notify me about the 0day with full details? In case you have missed it, some people quite disagree with the draft, check: http://lists.netsys.com/pipermail/full-disclosure/2002-August/000822.html Georgi Guninski http://www.guninski.com
Powered by blists - more mailing lists