Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

Re: Security Vulnerability Reporting and Response Process
From: Andreas Gietl <a.gietl () e-admin de>
Date: Mon, 9 Jun 2003 13:02:31 +0200
On Monday 09 June 2003 10:11, Byrne Ghavalas wrote:



As this process has been proposed by OI Safety, one cannot help
but think that these exceptions create an unfair advantage for
members of OI Safety. After all, many of the members provide a
chargeable vulnerability notification service (or offer a
vulnerability assessment product) to their customers - if they
are able to offer the information to their customers before the
information is issued to the general public, they have an unfair
advantage over anyone else that is not privy to the early release
of this information.


I think the companies who initiated the process already act like the paper 
suggests, so they share information about new security threads when they get 
aware of it, contact the vendor and then after the hole is fixed they release 
the information. Since they all consider themselves as "important for the 
internet infrastructure".

So their paper adresses not to themselves - since they already behave like it. 
It adresses to all the people out there exploring security issues not 
belonging to the initiators of the paper. They want to control these people 
and want to cut off their peers from the information. So the people who 
actually are adressed by the paper are the ones who "suffer" most from it. 



a. Is there a way to provide some form of controlled release
   of this 'detailed' information?

b. Again, who will have access to the information and how will
   it be controlled?


I dont think the information could be shared and controlled. You can just 
share it - or control it. Even if you contract all people and sue them if 
they leak the information this would not prevent information to spread, since 
you will never be able to trace back the source of information.



I look forward to hearing your response.

Kind regards

Byrne Ghavalas



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Andreas Gietl




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]