Re: Vulnerability Disclosure

[Mauro Flores <almauri () cs com uy>]

The're use to be a IETF draft about good policy for vuln-disclosure but
is now exipred... but maybe it can answer you some wuestions.
http://www.wiretrip.net/rfp/txt/ietf-draft.txt
Some time ago I used this draft for disclosure some vulns.

You can also check the X-Force Vulnerability Disclosure Guidelines at
http://documents.iss.net/literature/vulnerability_guidelines.pdf

my 2 cents.

regrads, Mauro Flores

On Tue, 2007-06-05 at 03:52 +0000, matt.steer () marstons co uk wrote:
> Hi Guys,
>
> I have been playing around with a program and have discovered a bug that I have successfully leveraged into code 
> execution. I reported my findings to the vendor, not yet receiving a reply; this is the first time I have done this. 
>
> The bug is in an installer and malicious input is crafted then pasted into an input field which is copied into a 
> buffer of insufficient size. The conditions of the exploit seem a little extreme to me, but it still results in code 
> execution. 
>
> The fact that it is in an installer, hence most likely requiring Admin rights, and is a local exploit the risk of 
> this vulnerability being exploited seems low (too me, not being a risk assessor!) . 
>
> This brings me to my question; 
>
> Should all vulnerabilities be disclosed to a vendor (at least!) however high or low risk?
>
> Ive never been a believer in Security through Obscurity, but do the people think there comes a point when it may just 
> be a waste of time?
>
> To be honest; I hope not!
>
> Matthew Steer