Re: [ISN] Security Bug Disclosure Standard Dead In The Water

From: InfoSec News (isnat_private)
Date: Wed Mar 20 2002 - 01:13:47 PST

  • Next message: InfoSec News: "[ISN] eBay hacker trashes bail with caps-lock defence"

    Forwarded from: John Q. Public <tpublicat_private>
    On Tue, 19 Mar 2002, InfoSec News wrote:
    |By Brian McWilliams, Newsbytes
    |18 Mar 2002, 2:26 PM CST
    |Proponents of an effort to standardize the handling of computer
    |security vulnerabilities today aborted the effort after receiving
    |critical comments from reviewers.
    This makes me wonder if there was any thought put into multiple
    "standards" that would allow for organizations to pick one and stick
    with it.
    I believe there does need to be a concrete set of rules for security
    folks, but I don't think that one set of rules will fit everybody's
    I would not be surprised if we had up to three "choices" and each were
    adopted in nearly equal amounts.  At least then, there would be steps
    and policies that each group should abide by, and would help keep them
    out of trouble.
    Perhaps an aftereffect of this would be that all parties would soon
    realize that version "Delta" was less effective (or more destructive)
    than version "Alpha."  Additionally, we could see vendors request that
    reporters use a particular version over another one if it fits their
    timelines and responsibilities (but, of course, they will pick the
    most time-consuming and self-protective versions)
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 04:33:45 PST