Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to Report a Security Vulnerability to Microsoft

From: bkfsec <bkfsec () sdf lonestar org>
Date: Wed, 13 Apr 2005 13:50:25 -0400
Steve Friedl wrote:



My personal resolution: write two advisories. The first one is released
with the patch, but it doesn't contain a roadmap for how to create an
exploit. This gives the researcher the credit for the initial discovery.

The second advisory has all the details, and I'd hold it until either some
time period (90 days?) or until an active exploit was circulating. This
lets me publish the technical details sooner or later but at least gives
a head-fake to "caring about the users".
I think that that's a reasonable position to take. I don't think that it's indefensible at all. I don't think that we can say that one policy applies to all situations, and that was really my point here. A lot of vendors (for their own gain, obviously) want to tie researchers down to one policy which is highly tilted in their favor. That's just not realistic. The researcher should have options in how to handle the disclosure, if only for the fact that limiting disclosure is a limit to our ability to share information - which is not a good thing. My point is that the the researcher making the disclosure should determine their timeline, but with obvious consideration of the vendor and users, but that that should be a reasonable approach, and not followed because the researcher is forced to follow it. 

            -Barry


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: