lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: a.gietl at e-admin.de (Andreas Gietl)
Subject: Security Vulnerability Reporting and Response Process

On Monday 09 June 2003 10:11, Byrne Ghavalas wrote:

>
> As this process has been proposed by OI Safety, one cannot help
> but think that these exceptions create an unfair advantage for
> members of OI Safety. After all, many of the members provide a
> chargeable vulnerability notification service (or offer a
> vulnerability assessment product) to their customers - if they
> are able to offer the information to their customers before the
> information is issued to the general public, they have an unfair
> advantage over anyone else that is not privy to the early release
> of this information.

I think the companies who initiated the process already act like the paper 
suggests, so they share information about new security threads when they get 
aware of it, contact the vendor and then after the hole is fixed they release 
the information. Since they all consider themselves as "important for the 
internet infrastructure".

So their paper adresses not to themselves - since they already behave like it. 
It adresses to all the people out there exploring security issues not 
belonging to the initiators of the paper. They want to control these people 
and want to cut off their peers from the information. So the people who 
actually are adressed by the paper are the ones who "suffer" most from it. 

>
> a. Is there a way to provide some form of controlled release
>    of this 'detailed' information?
>
> b. Again, who will have access to the information and how will
>    it be controlled?

I dont think the information could be shared and controlled. You can just 
share it - or control it. Even if you contract all people and sue them if 
they leak the information this would not prevent information to spread, since 
you will never be able to trace back the source of information.

>
> I look forward to hearing your response.
>
> Kind regards
>
> Byrne Ghavalas
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Andreas Gietl





Powered by blists - more mailing lists