Re: The Invisible Hand of 'Responsible Disclosure'

[Paul Wouters <paul () xelerance com>]

On Wed, 6 Sep 2006, Michael Sutton wrote:

> Federico Biancuzzi has posted an interesting survey at SecurityFocus
> (http://www.securityfocus.com/columnists/415) where he surveys various
> software vendors, security researchers (looks like he missed you Dave)

Interesting how RedHat praises NISCC. NISCC, and their "Traffic Light
Protocol" for vulnerability disclosure is completely incompatible with
opensource software. They so don't get it.

The article talks about the point of view of commercial vendors being
notified, security researchers responsibilty notifying vendors, but
not really about how security organisations suchas MITR/CERT/NISCC
notify the relevant parties involved.

> http://portal.spidynamics.com/blogs/msutton/archive/2006/09/06/The-Invisible-Hand-of-_2700_Responsible-Disclosure_2700_.aspx

Your "invisible hand of responsible disclosure" might work on an individual
bug found by an individual in an individual piece of software. But it
does not really address certain protocol common vulnerabilities, or open
source software being re-used and rebranded all over. I'm not just talking
about our own product (openswan), but also about other common software.
Take the openssl and bind vulnerabilities from a few days ago. I got an
advance notice of ISC about bind, so I knew about the new versions last
friday. They announced their new versions on tuesday, and I expected an
apt-get and yum to immediately catch on. But I'm still waiting on the
updates to reach my servers.

So I might agree with you for proprietary closed software, but we still
have not figured out how to properly deal with opensource software
vulnerability disclosure at all.

Paul
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave