Full Disclosure mailing list archives
Re: Re: Public Review of OIS Security VulnerabilityReporting and ResponseGuidelines
From: "Gregh" <chows () ozemail com au>
Date: Thu, 8 Jul 2004 22:44:33 +1000
----- Original Message ----- From: "ET LoWNOISE" <et () cyberspace org> To: "Fred Mobach" <fred () mobach nl> Cc: <bugtraq () securityfocus com>; "OIS" <announcements () oisafety org>; <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>; <full-disclosure () lists netsys com> Sent: Thursday, July 08, 2004 12:56 PM Subject: [Full-disclosure] Re: Public Review of OIS Security VulnerabilityReporting and ResponseGuidelines
Instead of publishing personal opinions over the OIS, its better to focus on the Guideline again. The Process is based entirely on the vendor but not on the customers, going against the "efforts to safeguard customers". Even the participants group doesnt include them as active part of the process.
My response to the OIS is rather a simple one: 1) Someone decide upon a "source" to where all reports can go no matter what is in them. This source should be at an unable to be easily identified email account. 2) Source picks them all up and without fear or favour redistributes them in the same manner. Eg, if you are worried about being identified and hit by the authorities then don't include anything that can identify you as only the text of the letter is to be reproduced. People email "an address" in order to get on or off the list depending on how it is run by "the source". I can do the above and I admit I am nowhere near the ability of most in the security field so I am sure there is someone who can do it. If the list maintainer is careful, I find it hard to believe anyone not wishing identification (which is basically self gratification) would be found. Thus, any rules people do not wish to adhere to (eg, governments thinking that anything to do with security is basically hacking etc) don't have to be adhered to. If anyone gets enough guts to think this is a good idea and do it, do me a favour and call it either "Anarchy" or "Friar Tuck's revelations" (for those who don't understand, look up Spoonerisms and apply it to "Friar Tuck" which is what those that are telling the security industry that they cant do their jobs without being hit can do). Oh and BTW, if you DO decide to do this, let me know! I want to be on it. Greg. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines, (continued)
- Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines dave (Jul 04)
- RE: [Dailydave] Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines Steve W. Manzuik (Jul 04)
- Re: [Dailydave] Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines Halvar Flake (Jul 05)
- Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines Pete Herzog (Jul 05)
- Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines rsh (Jul 06)
- Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines Nigel Stepp (Jul 08)
- Re: Public Review of OIS Security Vulnerability Reporting and ResponseGuidelines Fred Mobach (Jul 04)
- Re: Public Review of OIS Security Vulnerability Reporting and ResponseGuidelines Randy Bush (Jul 05)
- RE: Public Review of OIS Security Vulnerability Reporting and ResponseGuidelines Thomas48 (Jul 06)
- Re: Public Review of OIS Security Vulnerability Reporting and ResponseGuidelines ET LoWNOISE (Jul 08)
- Re: Re: Public Review of OIS Security VulnerabilityReporting and ResponseGuidelines Gregh (Jul 08)
- Re: Re: Public Review of OIS Security Vulnerability Reporting and ResponseGuidelines J.A. Terranson (Jul 08)
- Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines Georgi Guninski (Jul 05)
- Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines Valdis . Kletnieks (Jul 08)
- Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines Florian Weimer (Jul 05)
- Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines dave (Jul 04)