Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634
From: Martin Sheppard <martin.sheppard () HSN CSIRO AU>
Date: Tue, 5 Sep 2000 17:17:41 +0930

At 21:56 4/09/00 -0600, Warner Losh wrote:
What's really needed is a vulnerability stamping service :-).  In the
coin collecting community, there are trusted parties that will encase
a coin in lucite and engrave the date and their "mark" to show that
this coin was encased in lucite on thus and such a date (or was given
to them to be so encased on the date, it varies).  This can be useful
in the coin collecting community to establish that a certain coin was
first of its type to enter circulation, etc.  Maybe something similar
is needed in the security community to strongly encourage advisory
writers from acting prematurely because that's the only way to call
"dibs" on a given vulnerability.  For it to be truly effective it has
to be done on a massive scale and get the word out to everybody in the
community.  It won't help people that release these things just to
cause trouble, but it might take some of the pressure off.

Actually, this is surprisingly easy to do. As soon as the vulnerability is
discovered, a description is written and stored in a text file. The md5
hash of the text file is then be posted to bugtraq, or whatever other
public forum you like, to mark the date when it was discovered. After the
vendor releases a patch you can release the description and anyone can
verify when it was discovered by looking at the date when the md5 hash was
published.

--
Martin Sheppard
Systems Administrator
CSIRO Health Sciences and Nutrition
Ph: (08) 8303 8812


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault