lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40E83BEB.2090709@immunitysec.com>
From: dave at immunitysec.com (dave)
Subject: Public Review of OIS Security Vulnerability
 Reporting and Response Guidelines

Nobody trusts the OIS or its motives. I imagine this is similar to the 
feedback you've gotten from everyone else as well, but Immunity has no 
plans to subscribe to your guidelines, and is going to oppose any 
efforts you make to legislate those guidelines as law. In section 1.1 
the draft proposes that the purpose of the OIS's model is to protect 
systems from vulnerabilities. This is fairly obviously untrue - the 
purpose of the OIS is to lobby towards a business model for Microsoft 
and the other OIS members that involves the removal of non-compliant 
security researchers.

This call for feedback is a thinly disguised attempt to get public 
legitimacy and allow the OIS to claim it has community backing, which it 
clearly does not.

It's rare, but there are still security companies and individuals who do 
not owe their entire business to money from Microsoft. It's July 4th. 
and some of us are Americans who understand the concept of independance.

Dave Aitel
Immunity, Inc.




OIS wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The Organization for Internet Safety (OIS) extends an invitation to
> the readers of the BugTraq, NTBugtraq, and Full-Disclosure mailing
> lists to participate in the ongoing public review of the OIS Security
> Vulnerability Reporting and Response Guidelines.
> The OIS reviews the Guidelines annually to ensure that they remain
> useful and relevant to the security community and, most importantly,
> to the millions of computer users who are the ultimate beneficiaries
> of effective computer security practices.  Over the past year, OIS
> has received feedback from many adopters of the Guidelines as well as
> from several public-private partnerships, and have incorporated much
> of this feedback into an interim version that is available at
> http://www.oisafety.org/review/draft-1.5.pdf.  We recommend reviewing
> the interim version, but reviewers are welcome to provide feedback on
> the original version at http://www.oisafety.org/reference/process.pdf
> if they would like.
>
> For more information on the public review, please visit
> http://www.oisafety.org/review-1.5.html.  The closing date for the
> review has been extended until 16 July 2004.  We look forward to your
> feedback.
>
> Regards,
>
> The Organization for Internet Safety
> www.oisafety.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
>
> iQA/AwUBQOWQgbF9hclyvjnOEQIhmACfYlaHX2NnJbHUCaCYfMHO4tkGDh0AoMzz
> KWNTvxgQVKXiC1OU9CR/rXYF
> =4mT/
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ