Full Disclosure Debate I did say I would kill this thread come Monday. So thats what I doing. I'll leave you with a little something from the (unreleased) BugTraq FAQ: 1.9 What is the proper protocol when report a security vulnerability? Everyone has a different opinion on what is the proper protocol. A sensible protocol to follow when reporting a security vulnerability is as follows: a) Contact the product's vendor or maintainer and give them a one or two week period to respond. Make sure you ask for a reply. You may also want to contact CERT, if for no other reason than to have them keep statistics. If they don't respond post to the list. b) If you do hear from the vendor give them what you consider appropriate time to fix the vulnerability. This will depend on the vulnerability and the product. It's up to you to make and estimate. If they don't respond in time post to the list. c) If they contact you asking for more time consider extending the deadline in good faith. If they continually fail to meet the deadline post to the list. When is it advisable to post to the list without contacting the vendor? a) When you cannot find a contact within the vendor to make a report. b) When the product is no longer actively supported. c) When you believe the vulnerability to be actively exploited and not informing the community as soon as possible would cause more harm then good. All this being said, we rather have people report vulnerabilities to the list and not inform the vendors, whatever their reasons may be, than to have them keep the information to themselves. -- Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:40 PDT