[olug] Security Vulnerability Disclosures

Dave Hull dphull at insipid.com
Tue Mar 25 21:29:33 UTC 2003


On Tue, 25 Mar 2003, Eric Penne wrote:

> I'm lookin for a rational discussion not a flame war on the benefits of
> full vs delayed disclosure of security vulnerabilities.  I know this topic
> generally borders on the flame war type of discussion but I'm reasonably
> certain OLUG is above this childish crap.

I'm sure you're aware, there's a wealth of information on this debate 
available online. Google for it.

My own opinion, after following the debates and reading quite a bit about it, 
is that responsible full disclosure is the most prudent way to handle it. That 
is to say, if you discover a vulnerability, notify the vendor of the problem 
and give them a reasonable amount of time to issue a patch, typically 30 days. 
Let them know that at the end of that time, you will go public with the 
vulnerability in the interest of greater security for all.

This approach gives the vendor a chance to correct the problem while at the 
same time, motivates them to get the problem corrected, because they know 
you're going public with the information eventually.

It is considered responsible, because you're not going straight to the public 
with vulnerability information. And at the same time, it's full disclosure, as 
eventually you will disclose the information to the public.

-- 
Dave Hull
http://insipid.com

> perhaps, some people might view Lindows as a godsend.

...or a professional wrestler that looks just like Steve Ballmer cast in
Johnny Depp's role in BLOW.  Uh...skip that last image.
-- Steve Nordquist, Re: Lindows?, 10/28/01



More information about the OLUG mailing list