Security Basics mailing list archives

Re: Things to do before vulnerability disclosure

From: "Sheldon Malm" <smalm () ncircle com>
Date: Mon, 15 Jun 2009 12:02:35 -0700

By "them", I believe Nicholas means report with discretion to the vendor (or organization if open source) to give them 
a reasonable chance to resolve the issue (i.e. Patch) before any public disclosure.

Not to open the "responsible disclosure" flame war, but that is the practice that we use and encourage.

--------------------------
Sheldon Malm
Director 
Security Research and Development
nCircle VERT

Sent from my BlackBerry Wireless Handheld


----- Original Message -----
From: listbounce () securityfocus com <listbounce () securityfocus com>
To: Giuseppe Fuggiano <giuseppe.fuggiano () gmail com>
Cc: security-basics () securityfocus com <security-basics () securityfocus com>
Sent: Mon Jun 15 09:44:22 2009
Subject: Re: Things to do before vulnerability disclosure

Tell them?

Sent from my iPhone

On Jun 12, 2009, at 5:25 PM, Giuseppe Fuggiano <giuseppe.fuggiano () gmail com

wrote:

Hi list,

What are, if any, the legal and "ethical" things to do before someone
could publicly disclosure a given vulnerability?

-- 
Giuseppe

--- 
---------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both  
Instructor-Led and Online formats is the most concentrated exam prep  
available. Comprehensive course materials and an expert instructor  
means you pass the exam. Gain a laser like insight into what is  
covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
--- 
---------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 15)
- Re: Things to do before vulnerability disclosure Nicholas Harvey (Jun 15)
- <Possible follow-ups>
- Re: Things to do before vulnerability disclosure Sheldon Malm (Jun 15)