Re: [ISN] Security Bug Disclosure Standard Dead In The Water

From: InfoSec News (isnat_private)
Date: Fri Mar 22 2002 - 00:06:20 PST

  • Next message: InfoSec News: "[ISN] County cuts off computer network"

    Forwarded from: security curmudgeon <jerichoat_private>
    > By Brian McWilliams, Newsbytes
    > 18 Mar 2002, 2:26 PM CST
    > Proponents of an effort to standardize the handling of computer
    > security vulnerabilities today aborted the effort after receiving
    > critical comments from reviewers.
    > In a message today to members of the Internet Engineering Task
    > Force's Security Area Advisory Group, the authors announced they
    > were withdrawing the draft in response to feedback from members who
    > felt the document was not appropriate for the IETF "since it does
    > not deal with technical protocols."
    Wonder if they had any other valid reason for rejecting this proposed
    RFC.  I was quite vocal about the document, primarily arguing against
    many aspects (at least the wording of it) and shared some concerns
    that Guninski and others had. Despite that, there is a need for such a
    guidelines to help bug finders AND vendors in their handling of
    security issues.
    That said, I would love to know how this could be shot down on the
    grounds of it "not dealing with technical protocols" when other recent
    RFCs certainly don't deal with technical protocols either. What,
    scared to handle a topic that isn't "safe" and may cause debate?
    RFC 3233 - Defining the IETF
       This document gives a more concrete definition of "the IETF" as it
       understood today.  Many RFCs refer to "the IETF".  Many important
       IETF documents speak of the IETF as if it were an already-defined
       entity.  However, no IETF document correctly defines what the IETF
    RFC 3227 - Guidelines for Evidence Collection and Archiving
       A "security incident" as defined in the "Internet Security Glossary",
       RFC 2828, is a security-relevant system event in which the system's
       security policy is disobeyed or otherwise breached.  The purpose of
       this document is to provide System Administrators with guidelines on
       the collection and archiving of evidence relevant to such a security
       If evidence collection is done correctly, it is much more useful in
       apprehending the attacker, and stands a much greater chance of being
       admissible in the event of a prosecution.
    RFC 3198 - Terminology for Policy-Based Management
       This document is a glossary of policy-related terms.  It provides
       abbreviations, explanations, and recommendations for use of these
       terms.  The document takes the approach and format of RFC 2828, which
       defines an Internet Security Glossary. The intent is to improve the
       comprehensibility and consistency of writing that deals with network
       policy, particularly Internet Standards documents (ISDs).
    RFC 3184 - IETF Guidelines for Conduct
       This document provides a set of guidelines for personal interaction
       in the Internet Engineering Task Force.  The Guidelines recognize the
       diversity of IETF participants, emphasize the value of mutual
       respect, and stress the broad applicability of our work.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 04:20:54 PST