Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
'Responsible Disclosure' Draft Could Have Legal Muscle
Mark Rasch, 2002-03-11

A proposed Internet standard would dictate how researchers report and vendors close security vulnerabilities. Ignoring it could be risky for either side.

Comments Mode:
'Responsible Disclosure' Draft Could Have Legal Muscle 2002-03-11
Michael Morgenstern
For further discussion of this very important topic, please see:

1. http://online.securityfocus.com/guest/10711
2. http://www.ietf.org/internet-drafts/draft-christey-wysopal-v
uln-disclosure-00.txt...

[ more ]  [ reply ]
'Responsible Disclosure' Draft Could Have Legal Muscle 2002-03-12
Coldman (1 replies)
> "official Internet standard, called an "RFC"

Internet standards are named STD, not RFC.

RFC is "Request for comments" and nothing more, unless widely accepted/recognized as standard. Publishing a RFC won't make it standard by itself....

[ more ]  [ reply ]
'Responsible Disclosure' Draft Could Have Legal Muscle 2002-03-13
Francisco Sáa Muñoz
'...(just like failure to adhere to a standard such as BSD 7799)...'

It's BS7799 (Code of Practice for Information Security)

Urm... I think we are calumnists nor columnists......

[ more ]  [ reply ]
'Responsible Disclosure' Draft Could Have Legal Muscle 2002-03-12
Chris
Ha ha ha. The day an RFC has the weight of law...
I think the IETF is overstepping their bounds a bit here.
They can suggest a method, but to imply that it would
have the weight of law is pure folly....

[ more ]  [ reply ]
'Responsible Disclosure' Draft Could Have Legal Muscle 2002-03-12
Michael Morgenstern
For further discussion of this very important topic, please see:

"It's Time to be Responsible", current guest feature on SecurityFocus online website.

The Christey and Wysopal draft, available from the IETF

...

[ more ]  [ reply ]
Not all RFCs are standards (see RFC 1796) 2002-03-13
Dwonis (1 replies)
Not all RFCs are standards. See: http://www.ietf.org/rfc/rfc1796.txt...

[ more ]  [ reply ]
Not all RFCs are standards (see RFC 1796) 2002-03-14
Hal
In fact this document CAN NEVER become a standard. It is clearly labeled at the top "Category: Best Current Practice".

Documents that are intended to become standards are labeled "Category: Standards Track".
...

[ more ]  [ reply ]
'Responsible Disclosure' Draft Could Have Legal Muscle 2002-03-16
Keith
In fact people can be held legally liable with or without a technical standard on disclosure, in any virtually jurisdiction worldwide.

Even an unsuccessful lawsuit can punish the respondent (defendant) because of the costs involved in defending him/herself.

A standard on disclosure would do m...

[ more ]  [ reply ]
'Responsible Disclosure' Draft Could Have Legal Muscle 2002-03-22
S.Ye
It defines a procedure just only....

[ more ]  [ reply ]
Grace Hopper and Liability 2002-03-22
J.R.
Back in the early 80's I had the privledge of listening to a presentation by Grace Hopper. Besides the normal modules of her presention regarding need for growth and where she saw the DP world heading, she addressed the issue of the potential damage of bad code or poorly Q.C.'ed code. Her observat...

[ more ]  [ reply ]
Some good points, but too legalistic. 2002-03-22
Anonymous
The characterization of the responsible disclosure protocol in this
piece goes well beyond the intent of the Internet Draft itself. There is
a world of difference between an informal guideline that will serve both
the security research and software development communities, as a
tool, and the kin...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus