Vulnerability Development mailing list archives

Re: useless security@ contacts

From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 21 Mar 2002 19:15:06 -0500 (EST)


It must be noted that buried underneath all the hubbub surrounding the
"Responsible Vulnerability Disclosure Process" (RVDP) document that
Chris Wysopal and I have proposed, we make an explicit recommendation
that vendors adopt a standard security contact mailing address.

security () example com is not universally used, and in some cases it's
actually used for the organization's physical security team.  It's
also overloaded for incident reporting and abuse.  For that reason, we
have proposed that vendors use the "secalert" alias for responding to
vulnerability reports.

Our RVDP document tries to address the fact that many vendors have not
set up a capability for recognizing and responding to security
vulnerability reports.  Many vendors aren't even aware that this is a
problem.  This sometimes forces reporters to go public with an issue
when they would have preferred to give the vendor a chance to patch
the problem first.  Just this week, we have seen several examples.

See our recommendations for yourself in section 3.3.1 of our draft,
which can be found at:

  http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt

We also make suggestions for how the vendor could continue feedback to
the reporter throughout the disclosure process, in sections 3.4.1,
3.5.1, and 3.6.1.

Despite the concern with the current document, "responsible
disclosure" also applies to the vendor.  Vendor accessibility and
responsiveness will remain an important element of future documents.
Chris and I hope that the adoption of standards for vendor
responsiveness will make it easier for vulnerability reporters to
reach the right people.  A standard will (1) make some vendors aware
that it is good for them to be accessible to vulnerability reporters
in the first place, and (2) allow customers and others in the
community to identify vendors who do not live up to such expectations.

Vulnerability reporters: you are encouraged to include a "vendor
status" section in your public advisory, which explicitly states who
you tried to contact at the vendor, and when.  While vendor status
sections already appear in some advisories, many of them do not
provide this type of detail.  The more status reports there are, and
the more comprehensive they are, then the easier it is to understand
the extent of the problem, and the easier it will become to do
something about it.

- Steve

P.S. Vulnerability reporters, feel free to email me your own "horror
story" or "success story."  I will not use your name unless you
explicitly authorize it.

Current thread:

useless security@ contacts J Edgar Hoover (Mar 19)
- Re: useless security@ contacts Ron DuFresne (Mar 20)
- <Possible follow-ups>
- Re: useless security@ contacts Ron DuFresne (Mar 21)
- Re: useless security@ contacts Steven M. Christey (Mar 21)