[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200306091302.31497.a.gietl@e-admin.de>
From: a.gietl at e-admin.de (Andreas Gietl)
Subject: Security Vulnerability Reporting and Response Process
On Monday 09 June 2003 10:11, Byrne Ghavalas wrote:
>
> As this process has been proposed by OI Safety, one cannot help
> but think that these exceptions create an unfair advantage for
> members of OI Safety. After all, many of the members provide a
> chargeable vulnerability notification service (or offer a
> vulnerability assessment product) to their customers - if they
> are able to offer the information to their customers before the
> information is issued to the general public, they have an unfair
> advantage over anyone else that is not privy to the early release
> of this information.
I think the companies who initiated the process already act like the paper
suggests, so they share information about new security threads when they get
aware of it, contact the vendor and then after the hole is fixed they release
the information. Since they all consider themselves as "important for the
internet infrastructure".
So their paper adresses not to themselves - since they already behave like it.
It adresses to all the people out there exploring security issues not
belonging to the initiators of the paper. They want to control these people
and want to cut off their peers from the information. So the people who
actually are adressed by the paper are the ones who "suffer" most from it.
>
> a. Is there a way to provide some form of controlled release
> of this 'detailed' information?
>
> b. Again, who will have access to the information and how will
> it be controlled?
I dont think the information could be shared and controlled. You can just
share it - or control it. Even if you contract all people and sue them if
they leak the information this would not prevent information to spread, since
you will never be able to trace back the source of information.
>
> I look forward to hearing your response.
>
> Kind regards
>
> Byrne Ghavalas
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Andreas Gietl
Powered by blists - more mailing lists