Re: HP Full Disclosure Story

[full-disclosure () lists netsys com (full-disclosure () lists netsys com)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven,

I would like to know how you determined this: "with an implied
Grace Period of 0 days"

Since the vendor did not say to publish the results of the challenge publicly on this list, would your policy have not 
required you to contact him first - in private - before making it public.

In other words, is the default of your policy to make whatever one finds public in the event that "vendors [do 
not]publish information including what Grace Period" or do not state to not make it public.

Sounds good to me. Seems like that is precisely what everyone is doing and has been doing all this time. And now 
including you.


Vulnerability Disclosure Policy
- -------------------------------

No compensation or credit is expected for discovery of this
vulnerability.

This vulnerability was released in accordance with the Responsible
Disclosure Process draft.  Section 4.1, vendor policy, suggests that
vendors publish information including what Grace Period the vendor
wishes to observe, if any, before publishing details.

The xxt vendor challenged the public to find a vulnerability that
"would render a root shell when xxt is SUID root," with an implied
Grace Period of 0 days.  Since this vulnerability is less severe than
a root shell in general (at best it allows users to decrypt other
users' files, which only potentially affects root), it is reasonable
to follow the suggested 0 day Grace Period.

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wmcEARECACcFAj1s8YIgHGNob29zZS5hLmx1c2VybmFtZUBodXNobWFpbC5jb20ACgkQ
T4xCkuLXILpGnACdFNLmBq2BFaARfC8XrtECvGGd/6EAn01/l5ZMQChM8YcODzYMVTCp
d2Rc
=B9b0
-----END PGP SIGNATURE-----




Get your free encrypted email at https://www.hushmail.com