| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060109181702.GJ8981@alcor.net> Date: Mon Jan 9 18:21:01 2006 From: mdz at debian.org (Matt Zimmerman) Subject: Open Letter on the Interpretation of "Vulnerability Statistics" On Sat, Jan 07, 2006 at 04:59:48PM +0100, Florian Weimer wrote: > * Georgi Guninski: > > > so you approve gaining pseudo credibility by practicing mouse copy/paste? > > > > then this pseudo credibility leads to corporate serving/licking like: > > "responsible disclosure rfc" - search for it. > > > > not than coley is consistent at all (besides lacking completeness): > > http://www.cve.mitre.org/board/archives/2002-02/msg00026.html > > ------------------- > > - The Board has agreed that CNAs should not reserve candidates for > > people who do not practice responsible disclosure (candidates would > > be assigned *after* publication). I hope that this document, or a > > later version, will become part of the "definition" of responsible > > disclosure. > > ------------------- > > Yes, this puzzles me too, but on the other hand, Debian became a CNA, > and Debian's official policy is geared away from "responsible > disclosure" -- all bug reports are supposed to be public. Debian isn't a CNA; as far as I know, it isn't possible for organizations to become CNAs. Some of the people in security-related roles in Debian are also (individually) CNAs. Additionally, Debian has traditionally participated in coordinated disclosure, before CVE existed. -- - mdz
Powered by blists - more mailing lists