Full Disclosure mailing list archives
Re: it\'s all about timing
From: full-disclosure () lists netsys com (full-disclosure () lists netsys com)
Date: Wed, 7 Aug 2002 11:45:17 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I get the impression that some government type may have whispered in your ear "go out into the IT community and get a 'peoples' consensus on a guidline that we expect to put into legislation in the near future". This way it is the 'peoples' guidline and not the governments. All this continual talk about it does nothing other than give it legitimacy and a footing when in fact had the status quo been maitained, nobody would be the wiser. In other words someone has come up with the brainwave to do something about nothing. On Mon, 5 Aug 2002 21:51:50 -0400 (EDT), full-disclosure () lists netsys com wrote:
choose.a.username () hushmail com said:What are the penalties now for not abiding by this guideline, or any other guideline that might be out there.We explicitly stayed away from defining what the penalties are. That's outside the scope of the recommendations - the "marketplace" may decide, or perhaps, the legal community may decide. If there are no guidelines at all, then perhaps "the government" will decide (which obviously has its own issues, in an international community such as information security.)Pretend that your (as in this) guideline was already implemented. How on earth would you expect it to have stifled the release by both the individual in (or a part of) SnoSoft and ISS.It at least establishes a point of discussion. Whether you agree with the particular points of the draft or not, they can be compared to the facts (or apparent facts) of the situation. For the ISS/Apache issue, it seems that nobody disputes that ISS gave Apache less than 7 days to respond to the initial report, before they published. This is not consistent with the spirit of the disclosure draft (I just took a look at it, and while it requires the vendor to respond within 7 days, it doesn't have a complementary suggestion that the reporter should give 7 days to the vendor! whoops). In the ISS/Apache case, we have the further complication that multiple vendors were involved (a difficult issue that is not addressed by the current draft, except in its recommendations for involving coordinators). Without community-defined guidelines, there are no clear boundaries to say whether ISS did things "reasonably" or not. The SnoSoft/HP issue is more complicated and not cleanly addressed by the disclosure draft, which does not cover accidental or unauthorized releases, and is not comprehensive on the role of third party coordinators. I think it demonstrates some of the complexity in vulnerability disclosure. Some people have argued that this means that there shouldn't be *any* guidelines, but I believe that we should try to be as detailed as possible in the guidelines to reduce confusion, provide flexibility where it is needed, and do what is possible to avoid regulations that may come from outside the IT community. - Steve _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosure () lists netsys com http://lists.netsys.com/mailman/listinfo/full-disclosure
- -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmYEARECACYFAj1RaaofHGNob29zZS5hLnVzZXJuYW1lQGh1c2htYWlsLmNvbQAKCRDT 5JkCl0iMkP31AJsHv2J3QICwlKsvoCiK+I8STNAedACgtn0/KLwugGTn/ldKdFLGhWBj 0dg= =0E/o - -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmYEARECACYFAj1RabofHGNob29zZS5hLnVzZXJuYW1lQGh1c2htYWlsLmNvbQAKCRDT 5JkCl0iMkOlEAKCS2Yvrfwy0GPLnvwhiedke61qCzwCgjUcQqPUeRjQGTDvZt1hNjjGp 8kI= =Vlls -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
Current thread:
- Re: it\'s all about timing, (continued)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 02)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 02)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 05)
- Re: it\'s all about timing Steven M. Christey (Aug 05)
- Re: it\'s all about timing Steven M. Christey (Aug 05)
- Re: it\'s all about timing Steven M. Christey (Aug 05)
- Re: it\'s all about timing Steven M. Christey (Aug 05)
- Re: it\'s all about timing Steven M. Christey (Aug 05)
- Re: it\'s all about timing Ron DuFresne (Aug 05)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 07)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 07)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 07)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 07)