Kevin Poulsen, SecurityFocus 2003-06-04
A group of 11 of the largest software companies and computer security firms released the first public draft of a proposed bug disclosure standard on Wednesday, and asked the security community for comments.
Colapse all |
Post comment
Um...ok
2003-06-05
SFN (1 replies)
SFN (1 replies)
So, let's suppose this standard gets overwhelming approval, the public loves it and everyone goes to the seashore.
Then some "evil-doer" decides that they are going to post a vulnerbility with full exploit code and lots of detail anyway.
Then what?...
[ more ] [ reply ]
Then some "evil-doer" decides that they are going to post a vulnerbility with full exploit code and lots of detail anyway.
Then what?...
[ more ] [ reply ]
Standards??
2003-06-05
Lockdown
Lockdown
Huh, kind of ironic, Microsoft releasing a standard. :) Is it just me or are there plenty of standards out there that Microsoft software breaks??
I'd say that "standards" in the computer industry are better described as "best practices". They are not something that you have to follow but more-...
[ more ] [ reply ]
I'd say that "standards" in the computer industry are better described as "best practices". They are not something that you have to follow but more-...
[ more ] [ reply ]
Group Releases Anti-Disclosure Plan
2003-06-05
kl365
kl365
I'm not sure if i understand how they expect to keep people from developing their own code. Do they really expect most exploit writers to conform to their standards and thirty day waiting period? Like posted eariler, whose to stop someone from releasing it to the public and what would happen if they...
[ more ] [ reply ]
[ more ] [ reply ]
This "Standard"
2003-06-05
Patrick D. Cusack
Patrick D. Cusack
The passing of any law or "standard" to this effect will permanently and irrepairably compromise any form of annonymity currently enjoyed by users of the world wide web. It will offer corporations and governments an excuse to investigate, read, spy on any individual or collaboration thereof with any...
[ more ] [ reply ]
[ more ] [ reply ]
Here we go again.
2003-06-06
RogueClient
RogueClient
I am frankly amazed that some of the companies listed in this article agreed to participate in this - though I can see why others have.
It's the same old tired argument and rfp summed it up best several years ago when he wrote about full disclosure and the RDS issue. It's probably still on his we...
[ more ] [ reply ]
It's the same old tired argument and rfp summed it up best several years ago when he wrote about full disclosure and the RDS issue. It's probably still on his we...
[ more ] [ reply ]
Group Releases Anti-Disclosure Plan
2003-06-06
Dave Aitel
Dave Aitel
The standard is completely irrelevant. If you look at the number of interesting vulnerabilities actually found by these companies, only ISS via Duke and Zip has been any competition for a real researcher. These companies are all in-hock to Microsoft via large consulting contracts anyways. In fact, t...
[ more ] [ reply ]
[ more ] [ reply ]
Group Releases Anti-Disclosure Plan
2003-06-06
G8R-B8
G8R-B8
Well, well, well.... I was wondering when this idea would finally come to light. It's a lose-lose situation. It will help keep vulnerabilities unknown to the public for a longer period of time which will give the underground more time to exploit these vulnerabilities before patches are created, i...
[ more ] [ reply ]
[ more ] [ reply ]
The few dictating to the many?
2003-06-07
Anonymous
Anonymous
Yes, okay, so this group of *11* vendors wants to dictate the security disclosure practices that affect thousands of software companies. Okay....they don't even have IBM, Sun, BEA, or AOL, who all make software that has a significant presence on the internet.
If they want credibility, they'd bet...
[ more ] [ reply ]
If they want credibility, they'd bet...
[ more ] [ reply ]
Group Releases Anti-Disclosure Plan
2003-06-09
Seventh
Seventh
sure give management a free ride to say Oh we will just ignore this security vulnerability cause "we didn't know that it was so serious that we should have patched it" syndrome to keep cost down.
Idiotic ideas like this needs to be filtered at the brian level.
So executives enter this into your b...
[ more ] [ reply ]
Idiotic ideas like this needs to be filtered at the brian level.
So executives enter this into your b...
[ more ] [ reply ]
convenient
2003-06-10
chort (1 replies)
chort (1 replies)
I find it convenient that a few of the companies most notorious for having exploitable products are bringing in (paying?) some of the companies known for finding the exploits and essentially telling them to keep quiet about said 'sploits.
As someone else already pointed out, at least one of the i...
[ more ] [ reply ]
As someone else already pointed out, at least one of the i...
[ more ] [ reply ]
30 days
2003-06-11
Revilo
Revilo
A *limited* non-disclosure period is a good idea, and academic researchers will do this, though Ross Anderson (http://www.cl.cam.ac.uk/users/rja14/) of Cambridge University once disclosed a serious security bug to a financial institution, which couldn't decide which department was responsible for it...
[ more ] [ reply ]
[ more ] [ reply ]
microsoft could just not release a patch, and block anyone from publishing.
also it is unclear what is gained by the parties?
will the disclosing party get money for following the
proposal? will they land in jail for not following it?...
[ more ] [ reply ]