[olug] Security Vulnerability Disclosures

Brian Wiese bwiese at cotse.com
Wed Mar 26 08:30:19 UTC 2003


Rain Forest Puppy set up one of the first really followed policies.
http://www.wiretrip.net/rfp/policy.html

I think moreso lately, it has been more of a 'responsible disclosure'
involving about 30days or whatever it seems to take to go public.  Usually
notification should be sent to the vendors of course, and then some
vulnerability/security places like CERT and such, and it seems like the
Department of Homeland Security is now responsible for this as well... as
show with the latest sendmail vulnerability.

One of the new things that happens lately, is places like iDefense pay
hackers for finding vulnerabilities and letting iDefense make the
appropriate responsible disclosures and be the first to go public with it.
http://www.idefense.com/contributor.html

The discoverers still get the credit though, anonymously if they want, and
some cash for finding flaws in software so that they can be made more
secure... pretty good deal I think.  One thing that was happening as well,
some places like CERT (forget who it was actually) would get the vuln
discoveries from some hacker -- sent to them for free, and the hacker did
all the work, and now this organization would alert it's "preferred
(paying) customers" about the potential vulnerability and get patches to
them first... then announce the vulnerability publically. 

On 25 Mar 2003 15:51:55 -0600
Nick Walter <waltern at iivip.com> wrote:
 
|3.)  30 days later, full details with sample exploit code is released. 
|This step is important, because without full disclosure, vendors won't
|release patches.

I don't know if this can be stated as true... maybe for Micro$oft, but
most open source apps will quickly fix a flaw if it's discovered (I would
hope).  I have heard that many people won't patch software where there is
no live 'exploit' for it known though. =)

peace

  Brian Wiese | bwiese at cotse.com | aim: unolinuxguru
------------------------------------------------------
  GnuPG/PGP key 0xF3220030 | "FREEDOM!" - Braveheart 
------------------------------------------------------  
This is not about Napster or DVDs. It's about your Freedom.
  I'll see your DMCA and raise you a First Amendment.
              http://www.anti-dmca.org


More information about the OLUG mailing list