I do not think you are a Microsoft lackey, a fascist, or a dolt but I do think you are being naive about the vendors.
Suppose I report a security flaw to a vendor. What's to stop them responding with a court order gagging me? It doesn't matter if the court order wouldn't stand up to challenge. I can't afford to find out. Your system needs explicit penalties for vendors that do this.
My next criticism of your proposal is the timescales involved. I'm not a full-time security investigator; if I find a security hole it's most likely that I was investigating a security break-in. I can't afford to wait two months for a fix. I need it now and am not above applying pressure on the vendor my publicising the flaw. Simple parameters like your timeouts are open to negotiation so I don't regard that as a serious problem, though.
More important is the vagueness of the "else" clauses. Suppose I have waited my two weeks and received no acknowledgement. What may I publish? A vague warning? A detailed demonstration that there is a buffer overflow (for example). Or an exploit of that overflow to scare the hell out of the vendor to actually get them to do something? Personally I would go for the second option with a timeout of one week before releasing the third. Suppose the flaw has been acknowledged but the vendor still hasn't shipped a fix because of their "extensive internal testing" after six weeks. What may I do then?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/120/17005#17005