Bugtraq mailing list archives
Re: It takes two to tango
From: Jose Nazario <jose () monkey org>
Date: Wed, 31 Jul 2002 10:48:29 -0400 (EDT)
to continue the "it takes two to tango" metaphor, i will say the following (inline): On Wed, 31 Jul 2002, Chris Paget wrote:
2) R attempts to contact V to reveal the bug. 3) V does not respond.
this is the fault of the vendor for not having a well known and publicized contact point for handling security concerns. furthermore, if publicly published email addresses for the company (ie webmaster, abuse, postmaster, support, security) do NOT have the correct stuff forwarded to the security contact, there is an organizational breakdown for the vendor. this has been beaten to death by this point, there is no reason this should still be the case.
4) R attempts communication several times over the next 90 days, but never receives a response.
if the researcher doesn't attempt to work with an established third party (ie CERT, SecurityFocus) to get this contact made, they are acting in an irresponsible fashion. at least the researcher waited 90 days, though. so, it does take two to tango, both sides have to have made honest efforts to make sure this process of vulnerability notification can work as smoothly as possible. this has been the subject of many recent discussion, including standards drafts. no excuses for not attempting to adhere to these best practices for either side of the issue. ___________________________ jose nazario, ph.d. jose () monkey org http://www.monkey.org/~jose/
Current thread:
- It takes two to tango Richard M. Smith (Jul 30)
- Re: It takes two to tango Chris Paget (Jul 31)
- Re: It takes two to tango Jose Nazario (Jul 31)
- Re: It takes two to tango Stan Bubrouski (Jul 31)
- Re: It takes two to tango Mike Forrester (Jul 31)
- Re: It takes two to tango Chris Paget (Jul 31)