lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: a.gietl at e-admin.de (Andreas Gietl) Subject: Security Vulnerability Reporting and Response Process On Monday 09 June 2003 10:11, Byrne Ghavalas wrote: > > As this process has been proposed by OI Safety, one cannot help > but think that these exceptions create an unfair advantage for > members of OI Safety. After all, many of the members provide a > chargeable vulnerability notification service (or offer a > vulnerability assessment product) to their customers - if they > are able to offer the information to their customers before the > information is issued to the general public, they have an unfair > advantage over anyone else that is not privy to the early release > of this information. I think the companies who initiated the process already act like the paper suggests, so they share information about new security threads when they get aware of it, contact the vendor and then after the hole is fixed they release the information. Since they all consider themselves as "important for the internet infrastructure". So their paper adresses not to themselves - since they already behave like it. It adresses to all the people out there exploring security issues not belonging to the initiators of the paper. They want to control these people and want to cut off their peers from the information. So the people who actually are adressed by the paper are the ones who "suffer" most from it. > > a. Is there a way to provide some form of controlled release > of this 'detailed' information? > > b. Again, who will have access to the information and how will > it be controlled? I dont think the information could be shared and controlled. You can just share it - or control it. Even if you contract all people and sue them if they leak the information this would not prevent information to spread, since you will never be able to trace back the source of information. > > I look forward to hearing your response. > > Kind regards > > Byrne Ghavalas > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html Andreas Gietl
Powered by blists - more mailing lists