Bugtraq mailing list archives
Re: Submission
From: aarhus () HUSHMAIL COM
Date: Tue, 28 Nov 2000 12:05:13 +0000
In response to hellnbak () HUSHMAIL COM's misgivings regarding early disclosure, I'd like to give an alternative point of view. It seems to be assumed that providing the vendor with as long as they wish to produce a fix before announcing the vulnerability provides maximal security to the consumer. Does it really? I suggest, instead, that it reduces this security and allows the vendor to switch responsibility from themselves to the consumer. I would personally prefer the following disclosure policy. Allow the vendor reasonable time to rectify the problem providing, either: 1. the vendor has made every effort to ensure that the product ships in a secure state by default and operating in an less secure mode requires explicit action by the end-user, including notification of a mechanism for the end-user to keep themselves abreast of security updates, or 2. the vendor has the ability to individually notify all users of the product and bring the vulnerability and fix to their attention. Otherwise, the vendor should not necessarily receive any prior notice. What does this achieve? 90% or so of all vulnerabilities in web browsers seem to end up with the advice to workaround the problem by disabling javascript or java or activex or whatever. If that were the default, only those who explicitly chose to enable those features would be at risk. Ideally, they would be notified of the risk when they chose to activate them. Providing prior notice to a vendor regarding, say, an operating system bug, allows them to fix it internally, notify their chosen partners so that they have a fix, announce the fix to the world, and then shift the blame from themselves to the end-user for not updating the product when the consumer's computer is eventually cracked. Instead, the vendor would have to either have a means to notify everyone equally, ship securely, i.e. with firewalling features installed by default, or invest effort in reducing the problems in the first place, through audits, for example.
Current thread:
- Submission hellnbak (Nov 28)
- Re: Submission Ryan Russell (Nov 29)
- Re: Submission Georgi Guninski (Nov 29)
- Re: Submission Geo. (Nov 29)
- Re: Submission Gunther Birznieks (Nov 30)
- <Possible follow-ups>
- Re: Submission hellnbak (Nov 29)
- Re: Submission Georgi Guninski (Nov 30)
- Re: Submission Robert G. Ferrell (Nov 29)
- Re: Submission Scott Blake (Nov 30)
- Re: Submission aarhus (Nov 29)
- Re: Submission Rune Kristian Viken (Nov 30)
- Re: Submission Geoffrey Moon (Nov 30)
- Re: submission rain forest puppy (Nov 30)
- Re: Submission Elias Levy (Nov 30)