Re: [Full-disclosure] How to Report a Security Vulnerability to Microsoft
From: bkfsec (bkfsec_at_sdf.lonestar.org)
Date: 04/13/05
- Previous message: Steve Friedl: "Re: [Full-disclosure] How to Report a Security Vulnerability to Microsoft"
- In reply to: Steve Friedl: "Re: [Full-disclosure] How to Report a Security Vulnerability to Microsoft"
- Next in thread: Steve Friedl: "Re: [Full-disclosure] How to Report a Security Vulnerability to Microsoft"
- Reply: Steve Friedl: "Re: [Full-disclosure] How to Report a Security Vulnerability to Microsoft"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Apr 2005 13:50:25 -0400 To: Steve Friedl <steve@unixwiz.net>
Steve Friedl wrote:
>
>My personal resolution: write two advisories. The first one is released
>with the patch, but it doesn't contain a roadmap for how to create an
>exploit. This gives the researcher the credit for the initial discovery.
>
>The second advisory has all the details, and I'd hold it until either some
>time period (90 days?) or until an active exploit was circulating. This
>lets me publish the technical details sooner or later but at least gives
>a head-fake to "caring about the users".
>
>
>
I think that that's a reasonable position to take. I don't think that
it's indefensible at all. I don't think that we can say that one policy
applies to all situations, and that was really my point here. A lot of
vendors (for their own gain, obviously) want to tie researchers down to
one policy which is highly tilted in their favor. That's just not
realistic. The researcher should have options in how to handle the
disclosure, if only for the fact that limiting disclosure is a limit to
our ability to share information - which is not a good thing. My point
is that the the researcher making the disclosure should determine their
timeline, but with obvious consideration of the vendor and users, but
that that should be a reasonable approach, and not followed because the
researcher is forced to follow it.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Steve Friedl: "Re: [Full-disclosure] How to Report a Security Vulnerability to Microsoft"
- In reply to: Steve Friedl: "Re: [Full-disclosure] How to Report a Security Vulnerability to Microsoft"
- Next in thread: Steve Friedl: "Re: [Full-disclosure] How to Report a Security Vulnerability to Microsoft"
- Reply: Steve Friedl: "Re: [Full-disclosure] How to Report a Security Vulnerability to Microsoft"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
