Group Releases Anti-Disclosure Plan

Group Releases Anti-Disclosure Plan
Kevin Poulsen, SecurityFocus 2003-06-04

A group of 11 of the largest software companies and computer security firms released the first public draft of a proposed bug disclosure standard on Wednesday, and asked the security community for comments.

Expand all | Post comment

30 days 2003-06-05
Anonymous

Um...ok 2003-06-05
SFN (1 replies)

Standards?? 2003-06-05
Lockdown

Group Releases Anti-Disclosure Plan 2003-06-05
kl365

This "Standard" 2003-06-05
Patrick D. Cusack

Here we go again. 2003-06-06
RogueClient

Group Releases Anti-Disclosure Plan 2003-06-06
Dave Aitel

Group Releases Anti-Disclosure Plan 2003-06-06
G8R-B8

Group Releases Anti-Disclosure Plan 2003-06-07
Darren Woodall

The few dictating to the many? 2003-06-07
Anonymous

Group Releases Anti-Disclosure Plan 2003-06-08
Martin

Group Releases Anti-Disclosure Plan 2003-06-09
Seventh

convenient 2003-06-10
chort (1 replies)

30 days 2003-06-11
Revilo

A *limited* non-disclosure period is a good idea, and academic researchers will do this, though Ross Anderson (http://www.cl.cam.ac.uk/users/rja14/) of Cambridge University once disclosed a serious security bug to a financial institution, which couldn't decide which department was responsible for it by the time he eventaully released it!

Commercial researchers should be able to find a way to charge for information on a delayed publication model.

What is needed for all parties (excluding attackers and lazy vendors) is a chance to fix the problem and an incentive to fix it promptly - 30 days from notification to publication sounds plausible.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/5458/20416#20416

Group Releases Anti-Disclosure Plan 2003-06-11
sakazz

Stuff it. 2003-06-12
Anonymous

Group Releases Anti-Disclosure Plan 2003-06-13
Anonymous