Full Disclosure mailing list archives

Re: Security Vulnerability Reporting and Response Process

From: Andreas Gietl <a.gietl () e-admin de>
Date: Mon, 9 Jun 2003 13:02:31 +0200

On Monday 09 June 2003 10:11, Byrne Ghavalas wrote:


As this process has been proposed by OI Safety, one cannot help
but think that these exceptions create an unfair advantage for
members of OI Safety. After all, many of the members provide a
chargeable vulnerability notification service (or offer a
vulnerability assessment product) to their customers - if they
are able to offer the information to their customers before the
information is issued to the general public, they have an unfair
advantage over anyone else that is not privy to the early release
of this information.


I think the companies who initiated the process already act like the paper 
suggests, so they share information about new security threads when they get 
aware of it, contact the vendor and then after the hole is fixed they release 
the information. Since they all consider themselves as "important for the 
internet infrastructure".

So their paper adresses not to themselves - since they already behave like it. 
It adresses to all the people out there exploring security issues not 
belonging to the initiators of the paper. They want to control these people 
and want to cut off their peers from the information. So the people who 
actually are adressed by the paper are the ones who "suffer" most from it.


a. Is there a way to provide some form of controlled release
   of this 'detailed' information?

b. Again, who will have access to the information and how will
   it be controlled?


I dont think the information could be shared and controlled. You can just 
share it - or control it. Even if you contract all people and sue them if 
they leak the information this would not prevent information to spread, since 
you will never be able to trace back the source of information.


I look forward to hearing your response.

Kind regards

Byrne Ghavalas



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Andreas Gietl




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Security Vulnerability Reporting and Response Process Byrne Ghavalas (Jun 09)
- Re: Security Vulnerability Reporting and Response Process Andreas Gietl (Jun 09)