Bugtraq mailing list archives

RFPolicy for vulnerability disclosure

From: rfp () WIRETRIP NET (rain forest puppy)
Date: Mon, 12 Jun 2000 18:51:26 -0500


I'm not sure if anyone would be interested, but I thought I would give it
a whirl anyway just in case....

I just posted what I've dubbed as 'RFPolicy'.  RFPolicy is an inititive to
help establish concrete guidelines for disclosure of security problems.
This was prompted due to many recent responses from vendors such as "we
were never given a chance", or "there is an 'unwritten' standard of
notifying the vendor X days ahead of time", etc.

My intent is not to push this policy onto the community.  Everyone can
obviously do whatever they feel like.  But *I* will be using this
disclosure policy in all future security disclosures, and I encourage
anyone wishing to use or modify it, to do so.

Feedback on the policy is also welcome.  It can be found at:

http://www.wiretrip.net/rfp/policy.html

Thanks,
- rain forest puppy

Current thread:

Re: Glftpd privpath bugs... +fix, (continued)
- - - Re: Glftpd privpath bugs... +fix Scott (Jun 27)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
  - Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
    - Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
    - IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
    - Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
    - Using IP Filter to protect FW-1 4.0 (fwd) Darren Reed (Jun 12)
    - FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
    - RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
    - CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Johannes Westerink (Jun 12)
    - SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit Moritz Jodeit (Jun 13)
    - Ethics ?? : Re: local root on linux 2.2.15 Gerrie (Jun 10)
  - CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH Andreas Hasenack (Jun 10)
- Trustix Security Advisory Oystein Viggen (Jun 09)
- Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Tom Yu (Jun 09)
  - Remote DOS in linux rpc.lockd mmurray () FSCINTERNET COM (Jun 08)
  - Re: Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Mike Friedman (Jun 09)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Antonio Galea (Jun 15)
  - Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Lionel Cons (Jun 16)

(Thread continues...)