Re: Security Bug Disclosure Standard Dead In The Water

[InfoSec News <isn () c4i org>]

Forwarded from: John Q. Public <tpublic () dimensional com>

On Tue, 19 Mar 2002, InfoSec News wrote:

|http://www.newsbytes.com/news/02/175273.html
|
|By Brian McWilliams, Newsbytes
|BURLINGTON, MASSACHUSETTS, U.S.A.,
|18 Mar 2002, 2:26 PM CST
| 
|Proponents of an effort to standardize the handling of computer
|security vulnerabilities today aborted the effort after receiving
|critical comments from reviewers.

This makes me wonder if there was any thought put into multiple
"standards" that would allow for organizations to pick one and stick
with it.

I believe there does need to be a concrete set of rules for security
folks, but I don't think that one set of rules will fit everybody's
position.

I would not be surprised if we had up to three "choices" and each were
adopted in nearly equal amounts.  At least then, there would be steps
and policies that each group should abide by, and would help keep them
out of trouble.

Perhaps an aftereffect of this would be that all parties would soon
realize that version "Delta" was less effective (or more destructive)
than version "Alpha."  Additionally, we could see vendors request that
reporters use a particular version over another one if it fits their
timelines and responsibilities (but, of course, they will pick the
most time-consuming and self-protective versions)

.nhoJ



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.