Full Disclosure mailing list archives
Re: Seeking comment on disclosure articles
From: Ben Bucksch <news () bucksch org>
Date: Fri, 12 Jan 2007 14:34:21 +0100
I hope you realize that you open a highly controversial subject, i.e flamewar. My current approach is: Basic idea is that vendors should have the ability to fix them without the public exploiting it at the same time, but even during the secret time, various parties will see the bug, so this time is highly dangerous, so it must be kept to the minimum. Exploits should be fixed within 7 days, from first report to shipping fix. I notify the vendor in advance, via security () example com and other addresses. I cc the press. I expect a first response within 24 hours about where the message is routed. I set a deadline of 7 days. I want to know about the progress and final fix, because most often, the proposed fix will not entirely fix the problem. If I don't see the vendor as treating this with enough priority or pressure, he gets 1 or 2 warnings, and if the treatment doesn't improve, I publish the bug on the "Full Disclosure" mailing list. As soon as the fix ships, the bugs gets published, and a few days later, all details get published. These are the ground rules. There may be reasons to immediately publish without pre-notification, e.g. when the bug is too obvious. Under no circumstance should a fix take longer than one month. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Seeking comment on disclosure articles Shawna McAlearney (Jan 12)
- Re: Seeking comment on disclosure articles Ben Bucksch (Jan 12)
- Re: Seeking comment on disclosure articles Valdis . Kletnieks (Jan 12)
- Re: Seeking comment on disclosure articles Pavel Kankovsky (Jan 14)
- Re: Seeking comment on disclosure articles Ben Bucksch (Jan 12)