Dailydave mailing list archives
Re: The Invisible Hand of 'Responsible Disclosure'
From: Paul Wouters <paul () xelerance com>
Date: Thu, 7 Sep 2006 18:07:21 +0200 (CEST)
On Wed, 6 Sep 2006, Michael Sutton wrote:
Federico Biancuzzi has posted an interesting survey at SecurityFocus (http://www.securityfocus.com/columnists/415) where he surveys various software vendors, security researchers (looks like he missed you Dave)
Interesting how RedHat praises NISCC. NISCC, and their "Traffic Light Protocol" for vulnerability disclosure is completely incompatible with opensource software. They so don't get it. The article talks about the point of view of commercial vendors being notified, security researchers responsibilty notifying vendors, but not really about how security organisations suchas MITR/CERT/NISCC notify the relevant parties involved.
http://portal.spidynamics.com/blogs/msutton/archive/2006/09/06/The-Invisible-Hand-of-_2700_Responsible-Disclosure_2700_.aspx
Your "invisible hand of responsible disclosure" might work on an individual bug found by an individual in an individual piece of software. But it does not really address certain protocol common vulnerabilities, or open source software being re-used and rebranded all over. I'm not just talking about our own product (openswan), but also about other common software. Take the openssl and bind vulnerabilities from a few days ago. I got an advance notice of ISC about bind, so I knew about the new versions last friday. They announced their new versions on tuesday, and I expected an apt-get and yum to immediately catch on. But I'm still waiting on the updates to reach my servers. So I might agree with you for proprietary closed software, but we still have not figured out how to properly deal with opensource software vulnerability disclosure at all. Paul _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The Invisible Hand of 'Responsible Disclosure' Michael Sutton (Sep 06)
- Re: The Invisible Hand of 'Responsible Disclosure' Paul Wouters (Sep 07)
- <Possible follow-ups>
- Re: The Invisible Hand of 'Responsible Disclosure' Michael Sutton (Sep 07)