Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Disclosure Survey
Federico Biancuzzi, 2006-09-05

Federico Biancuzzi surveys statements from some of the world's largest software companies about vulnerability disclosure, interviews two security companies who pay for vulnerabilities, and then talks with three prominent, independent researchers about their thoughts on choosing a responsible disclosure process. In three parts.

Comments Mode:
Disclosure Survey 2006-09-05
LonerVamp (1 replies)
Excellent article, I loved reading the various opinions to the full disclosure debate.

I see that, by and large, most everyone is in agreement except for that one touchy subject: timeliness of a resolution. That seems to be the sticking point and also the most subjective part of the whole process...

[ more ]  [ reply ]
Re: Disclosure Survey 2006-09-05
Matthew Murphy
You are very right, timeliness is the biggest sticking point without question. What's a reasonable timeframe? There's no good answer that can be generally applied. It changes from issue to issue.

Most vendors prefer to err on the side of limited disclosure -- that is, they prefer to wait until...

[ more ]  [ reply ]
Disclosure survey 2006-09-05
Todd Knarr
As noted, timeliness of response by the vendor's an issue. Another one is an (IMHO unwarranted) assumption behind all the vendor disclosure rules: that the fact that the general public doesn't know means that the black-hats don't know either. My suspicion is that the black-hats do know about these 0...

[ more ]  [ reply ]
The Invisible Hand of 'Responsible Disclosure' 2006-09-06
Michael Sutton
While the survey does not lead to any unexpected conslusions, it is interesting nonetheless. I don't however understand why we spend so much time trying to define 'responsible disclosure'. Vendors and researchers do not agree on what it means and they never will.

Biancuzzi's survey inspired me to...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus