Re: it's all about timing

[full-disclosure () lists netsys com (Steven M. Christey)]

Georgi Guninski said:

> What scares me is that the "Responsible Disclosure" FUD continues.  On
> bugtraq people write that CERT and SecurtyFocus are "established
> parties" and everyone who does not give them their 0days is
> irresponsible... I personally won't give them my 0days early.

A number of people thought that the disclosure process draft placed
too much of an emphasis on using third parties.  That will be weakened
to a suggestion in the next version.

The Coordinator role, as described in the process draft, does not need
to be restricted to parties such as SecurityFocus and CERT/CC.  For
example, just this year, w00w00 has taken on the Coordinator role in
the disclosure of an AIM vulnerability and an IE/Office vulnerability.

  http://marc.theaimsgroup.com/?l=bugtraq&m=101897994314015&w=2
  http://marc.theaimsgroup.com/?l=bugtraq&m=102071080509955&w=2

> The "Responsible Disclosure" draft continues to get advertised, though
> it was not approved by IETF.

A minor clarification: while it was the subject of lively debate on
the IETF Security Area Advisory Group (SAAG) mailing list, the SAAG
did not think it was appropriate to pursue a document that dealt with
procedures as opposed to networking protocols.  So, it was not
approved because the topic was outside the scope of the IETF.

Other organizations have expressed support for developing the
responsible disclosure concept (with some changes to the current
draft), but they aren't set up for public feedback and/or document
ownership like the IETF is.


- Steve