Dailydave mailing list archives
Re: The Invisible Hand of 'Responsible Disclosure'
From: "Michael Sutton" <msutton () spidynamics com>
Date: Thu, 7 Sep 2006 12:21:56 -0400
http://portal.spidynamics.com/blogs/msutton/archive/2006/09/06/The-Invisible-Hand-of-_2700_Responsible-Disclosure_2700_.aspx Your "invisible hand of responsible disclosure" might work on an individual bug found by an individual in an individual piece of software. But it does not really address certain protocol common vulnerabilities, or
open
source software being re-used and rebranded all over. Paul
You bring up an interesting point. During my time at iDefense, vendor communication on open source projects posed perhaps the greatest challenge. Not because project maintainers were unresponsive, quite the opposite, they would often fix issues in a matter of days as opposed to the months required by their commercial counterparts. The challenge lay in informing those third parties, sometimes also open source, sometimes commercial, that were utilizing the vulnerable library/plugin/etc. There were two challenges here. First, how do you identify all affected third parties? Second, how do you communicate with them without essentially making the information public? In the first case, we relied on the affected project maintainer to inform affected third parties, not because it was the best system but because we felt that the maintainer was in the best position to know who was using his project (although I doubt that in most cases the maintainer knows for sure either). This also eliminated the problem of finding a secure means of communication as that became the maintainer's problem. Linux vendors have attempted to address this issue with the vendor sec mailing list but it is now plagued with holes so a post to the list isn't much better than going public. In my opinion, it is necessary for major projects (OpenSSL, BIND, etc.) that know they're content is used elsewhere to establish a secure communication medium with restricted membership for this very reason. That a tall order for a project with only volunteer labor but, it's an important challenge. Michael Sutton Security Evangelist SPI Dynamics http://portal.spidynamics.com/blogs/msutton _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The Invisible Hand of 'Responsible Disclosure' Michael Sutton (Sep 06)
- Re: The Invisible Hand of 'Responsible Disclosure' Paul Wouters (Sep 07)
- <Possible follow-ups>
- Re: The Invisible Hand of 'Responsible Disclosure' Michael Sutton (Sep 07)