lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <200208192018.QAA15725@linus.mitre.org> From: coley at linus.mitre.org (Steven M. Christey) Subject: Re: Shiver me timbers. aliver@...il.com said: >What I'm hearing from the "whitehat community" is that other >programmers not employed by that company have some obligation to not >only report bugs, but also to point out how to fix them wherever >possible... The responsible disclosure draft recommends this, but it will be weakened in the next version; it is a bit to ask of the person who's notifying the vendor. That said, some researchers *do* provide hints or fix information to the vendor and/or public. >I also don't feel, in most cases, I have any obligation to protect >these "innocent" consumers from the evil software vendor. Thank you for clarifying this (seriously, most opinions I've seen focus only on "not helping the vendor"). One of the intentions of responsible disclosure is to reduce the overall security threat to all network-connected systems. This comes at a cost to individuals or organizations who have the skills and resources to use immediate disclosure to protect their own systems (as mentioned by some people on this list). But it also suggests that responsible disclosure won't apply to people who may have other goals in mind besides "improving overall security." (I'd be interested in hearing from people who believe that responsible disclosure *wouldn't* improve overall security for most systems, although I probably don't even need to ask in this forum :-) But even if you don't feel an obligation to those innocent customers, it may ultimately affect you, as that could leave more Internet-connected systems vulnerable, which could then be used as launching points to attack your own systems. - Steve
Powered by blists - more mailing lists