[olug] Re: New CERT/CC Vulnerability Disclosure Policy
Adam Lassek
lunatik at radiks.net
Wed Oct 4 20:37:17 UTC 2000
What? You mean security through obscurity doesn't work?! :)
John Kennedy wrote:
>
> Aaaahhh the reach of M$...
> John
>
> Shawn Hernan wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > Hello,
> >
> > I thought readers of this list may find our new vulnerability
> > disclosure policy interesting.
> >
> > Effective October 9, 2000, the CERT Coordination Center will follow a
> > new policy with respect to the disclosure of vulnerability
> > information. All vulnerabilities reported to the CERT/CC will be
> > disclosed to the public 45 days after the initial report, regardless
> > of the existence or availability of patches or workarounds from
> > affected vendors. Extenuating circumstances, such as active
> > exploitation, threats of an especially serious (or trivial) nature, or
> > situations that require changes to an established standard may result
> > in earlier or later disclosure. Disclosures made by the CERT/CC will
> > include credit to the reporter unless otherwise requested by the
> > reporter. We will apprise any affected vendors of our publication
> > plans, and negotiate alternate publication schedules with the affected
> > vendors when required.
> >
> > It is the goal of this policy to balance the need of the public to be
> > informed of security vulnerabilities with the vendors' need for time
> > to respond effectively. The final determination of a publication
> > schedule will be based on the best interests of the community overall.
> >
> > More information can be found at
> >
> > http://www.cert.org/faq/vuldisclosurepolicy.html
> >
> > Thanks,
> > Shawn
> >
> > Shawn Hernan
> > Vulnerability Handling Team Leader
> > CERT/CC
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.1i
> >
> > iQCVAwUBOdp0egYcfu8gsZJZAQE/qAP8DdakGWrvKYukVYxLwnFFsBZS1z1Ne7T3
> > e127+fzV4ePQzGup81kwgcTJIXuhn9DR1ENEHcD81MmVCIwRWq9eTSKjKHb6hI+4
> > LHRWpXqK+lwEax6mUqg7z7hCVlsZtOlVwbG2uwXbmhZ+omMNbqoQJXrMmP5yZLJx
> > 1LPciSCzQys=
> > =P98e
> > -----END PGP SIGNATURE-----
>
> --
> John Kennedy
> UNIX System Administrator
> Orent Graphics
> 402-733-6400 Ext 266
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> For additional commands, e-mail: olug-help at bstc.net
--
A good pun is its own reword.
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list