Full Disclosure mailing list archives
Re: Open Letter on the Interpretation of "Vulnerability Statistics"
From: "Steven M. Christey" <coley () linus mitre org>
Date: Sat, 7 Jan 2006 12:14:06 -0500 (EST)
On Sat, 7 Jan 2006, Georgi Guninski wrote:
- The Board has agreed that CNAs should not reserve candidates for people who do not practice responsible disclosure (candidates would be assigned *after* publication). I hope that this document, or a later version, will become part of the "definition" of responsible disclosure.
This has also somewhat evolved over time. "Responsible disclosure" or "coordinated disclosure" or whatever you want to call it is one of the best ways to ensure there is actionable, accurate non-duplicated information at the time of disclosure. If you don't coordinate with a vendor, then your advisory will not have vendor fix information, the list of affected versions might be incomplete, the underlying bug diagnosis might be missing or wrong, and the only actionable items might be to reduce the affected functionality or use another product, which is not necessarily feasible in an organization with more than, say, 100 machines. This kind of information is important for assigning the correct number of candidates to an issue. Florian - I don't see an incompatibility in Debian's approach. Before publication, Debian interacts with the vendor (i.e. itself and probably the maintainer). - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Open Letter on the Interpretation of "Vulnerability Statistics", (continued)
- Re: Open Letter on the Interpretation of "Vulnerability Statistics" Hugo Vazquez Carapez (Jan 10)
- Re: Open Letter on the Interpretation of "Vulnerability Statistics" Florian Weimer (Jan 07)
- Re: Open Letter on the Interpretation of "Vulnerability Statistics" Georgi Guninski (Jan 07)
- Re: Open Letter on the Interpretation of "Vulnerability Statistics" Florian Weimer (Jan 07)
- Re: Open Letter on the Interpretation of "Vulnerability Statistics" Georgi Guninski (Jan 07)
- Re: Open Letter on the Interpretation of "Vulnerability Statistics" Matt Zimmerman (Jan 09)
- Re: Open Letter on the Interpretation of "Vulnerability Statistics" Florian Weimer (Jan 11)
- Re: Open Letter on the Interpretation of "Vulnerability Statistics" Matt Zimmerman (Jan 11)
- RE: location Randall M (Jan 07)
- Re: location ad () heapoverflow com (Jan 07)
- Re: Open Letter on the Interpretation of "Vulnerability Statistics" Steven M. Christey (Jan 07)