Bugtraq mailing list archives

Re: It takes two to tango

From: Branson Matheson <branson () windborne net>
Date: 31 Jul 2002 13:56:40 -0400

On Wed, 2002-07-31 at 10:48, Jose Nazario wrote:

4)  R attempts communication several times over the next 90 days, but
never receives a response.


if the researcher doesn't attempt to work with an established third party
(ie CERT, SecurityFocus) to get this contact made, they are acting in an
irresponsible fashion. at least the researcher waited 90 days, though.


Refusing to work with an "established third party" does not constitute
"irresponsible behavior". Arguably it does make the process smoother
when a third party is used, but should not a litmus test for the proper
way to notify a vendor, or any other purveyor of software or hardware.

There are many researchers who do this work outside of any organization
for any number of reasons including questioning the motives of
commercial security companies to disagreeing with directional statements
from non-commercial entities. Regardless of the reason... very credible
work has been performed by lone individuals and we would be re-miss in
casting doubt on their methods and loose that advantage.

Established guidelines, that everyone can follow across organizational
boundaries, are the best solution. Contact addresses, expectations of
both the vendor and the researcher, and methodologies for distribution
of a solution should be public knowledge and defined broadly by
standards. 

Each vendor should also publish their own expectations with regard to
handling vulnerabilities and bugs. Specifically, they should state where
they are diverging from the aforementioned standards. In this way, the
researcher knows what he or she is getting into by notifying the vendor.
This doesn't mean that each vendor should have their own, unique
policies, but make it clear so that responsible individuals can do their
best to adhere to the ideas set forth and thus prevent threatening
letters.
-- 

  - branson

-------------------------------------------------------------------------------
Branson Matheson                " If you are falling off of a mountain,
Systems Consultant                You may as well try to fly." 
Windborne, Inc.                   - Delenn, Minbari Ambassador 
           ( $statements = <BRANSON> ) !~ /Company Opinion/;

Current thread:

Re: It takes two to tango Riad S. Wahby (Jul 31)
- Re: It takes two to tango Derek D. Martin (Jul 31)
- it's all about timing Florin Andrei (Jul 31)
  - Re: [Full-Disclosure] it's all about timing John Scimone (Aug 01)
- <Possible follow-ups>
- RE: It takes two to tango Scott, Richard (Jul 31)
- Re: It takes two to tango Greg A. Woods (Jul 31)
  - Re: It takes two to tango Chris Paget (Jul 31)
- Re: It takes two to tango Tom Perrine (Jul 31)
- Re: It takes two to tango Branson Matheson (Jul 31)
- Re: It takes two to tango Kyle R. Hofmann (Jul 31)
- RE: It takes two to tango Mark L. Jackson (Jul 31)
- RE: It takes two to tango John Howie (Jul 31)
- Re: It takes two to tango Randy Hinders (Jul 31)
- Re: It takes two to tango Ltlw0lf (Aug 01)