nanog mailing list archives
Re: possible rsync validation dos vuln
From: Nick Hilliard <nick () foobar org>
Date: Fri, 29 Oct 2021 17:28:27 +0100
Barry Greene wrote on 29/10/2021 13:15:
"The NCSC will try to resolve the security problem that you have reported in a system within 60 days. Once the problem has been resolved, we will decide in consultation whether and how details will be published.”I would have expected you to council the researchers on responsible disclosure principles.
there's a public statement about this from NCSC-NL:
https://www.ncsc.nl/actueel/nieuws/2021/oktober/29/aanstaande-bekendmaking-cvd-procedure-rpki
"In dit proces is een afweging gemaakt om de ontwikkelaar van RPKI-client pas later te informeren. Deze afweging is gemaakt op basis van het publieke standpunt van deze ontwikkelaars, namelijk steun voor ‘full disclosure’. De ontwikkelaars van RPKI-client hebben het NCSC laten weten dat zij niet akkoord gaan met betrokkenheid onder embargo."
"During this process, a decision was made to inform the developer of RPKI-client at a later stage. This decision was made on the basis of the public standpoint of these developers, namely support for 'full disclosure. The developers of RPKI-client have let the NCSC know that they do not agree with involvement under embargo."
Looks like the NCSC got confused about OpenBSD's internal security vuln management process, which involves full disclosure on their terms, and the way they operate with disclosures from third parties / multiparty engagement, which involves co-operation with the disclosing party / CERT about mutually acceptable terms, including co-ordinated disclosure, i.e. standard industry practice. Some public clarity from the openbsd people would help here.
+ there was a screwup with the rcynic developers.It's a bit much to claim that the openbsd (+ rcynic) people didn't agree with involvement under embargo when the terms were apparently: we're releasing details in 4 days and will only tell you what the problem is if you agree to this.
Regardless of how this misunderstanding came about, this style of approach doesn't form part of an acceptable vulnerability management process.
Nick
Current thread:
- possible rsync validation dos vuln Randy Bush (Oct 28)
- Re: possible rsync validation dos vuln Nick Hilliard (Oct 29)
- Re: possible rsync validation dos vuln Randy Bush (Oct 29)
- Re: possible rsync validation dos vuln Barry Greene (Oct 29)
- Re: possible rsync validation dos vuln Nick Hilliard (Oct 29)
- Re: possible rsync validation dos vuln Nick Hilliard (Oct 29)
- Re: possible rsync validation dos vuln Randy Bush (Oct 29)
- RE: possible rsync validation dos vuln Jean St-Laurent via NANOG (Oct 29)
- RE: possible rsync validation dos vuln Collider (Oct 29)
- Re: possible rsync validation dos vuln Niels Bakker (Oct 29)
- RE: possible rsync validation dos vuln Jean St-Laurent via NANOG (Oct 29)
- Re: possible rsync validation dos vuln Nick Hilliard (Oct 29)