Re: [ISN] Disclosure Guidelines For Bug-Spotters Proposed

From: InfoSec News (isnat_private)
Date: Mon Feb 25 2002 - 00:42:06 PST

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - February 22nd, 2002"

    Forwarded from: John Q. Public <tpublicat_private>
    Just because you have a state-sponsored religion doesn't mean you'll
    convert everyone.
    I commend Steve and Chris for attempting this, but without a LOT of
    compromise, people are still going to bicker about which way is right.
    And we all know MS doesn't utilize RFCs to the letter, they tend to
    add their own features and break functionality for their own needs.  
    Just an example of how well RFCs are upheld in the real world.
    Don't get me wrong, I'll go read it, but I'm sure I can come up with a
    handfull of people who will love it and equally as many who will hate
    On Fri, 22 Feb 2002, InfoSec News wrote:
    |By Steven Bonisteel, Newsbytes
    |21 Feb 2002, 5:21 PM CST
    |A pair of computer security researchers are seeking comments on a
    |proposal to bring order to the reporting and fixing of security holes
    |in software, a process that frequently takes place in adversarial
    |In a document known as an Internet Draft submitted to the Internet
    |Engineering Task Force (IETF), Steve Christey of MITRE and Chris
    |Wysopal of @stake outline what could become standard procedures for
    |both bug hunters and software vendors when dealing with newly
    |discovered vulnerabilities.
    |The "Responsible Disclosure Process" Internet Draft comes as even
    |Internet security sleuths themselves continue to debate how quickly
    |they should publish their reports and how detailed they should be.  
    |Meanwhile, software giant Microsoft Corp. has been the most vocal
    |among vendors who have criticized the bug hunters for reporting
    |problems before they are patched.
    |The full Internet Draft can be found here:  
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 04:02:40 PST