[Full-Disclosure] A two way street: Re: It takes two to tango Re: [Full-Disclosure] OT: Snosoft vs HP

From: Ron DuFresne (dufresneat_private)
Date: Wed Jul 31 2002 - 22:18:20 PDT

  • Next message: ATD: "Formal Response to HP"

    It would seem that if vendors were to be fair about disclosure issues,
    that they would recognise that security as far as the triad
    researchers/vendors/customer relationships are at least a two way street,
    if not a three way intersections of responsibility and cooperation.  Note
    that all the pressure  on the disclosure paradym has been on the reseach
    community.  Researchers have been called to task to act responsibly, and
    to cooperate with vendors, often to the disadvantage of not only the
    researchers, but, to the customerbase of the vendors who clothe themselves
    in non-responsibility disclamers on their products.
    
    Which vendors to date have adpoted any standard of a respoonsible
    relationship with rthe researchers and their customerbase such that;
    
    1>  they setup and actively monitor a account for vulnerability
    information on their products from the research community.
    
    2>  after working quickly with researchers to determine the validity of
    the vulnerabilities that have discovered, then release, on their own, to
    their cusomters, or better yet openly in public lists as these, the
    information of threats people are subject to due to the problems the
    researchers have identified.  A full vendor responsibility disclosure
    policy if you will, giving proper credit to the researcher<s> who
    discovered the vulnerability.  Hell, it allows someone to go out and
    writeup an vendors discluoser compliance RFC and all too.
    
    This would give the researchers the proper credit they deserve, make the
    vendors appear to be on the up and up with those reseachers and their
    customer base.  A fair tradeoff of responsibility on both sides of the
    coin and a decent situation for customers now feeling that their vendors
    might well have their best interests at heart.  It makes the researchers
    feel better about a responsible disclosure policy as they get not only
    credit, but the sense that the vendors are paying attention and to
    security and the need to improve their products, while putting them <the
    vendors> under the gun of responsibilty to some sense thaat they have so
    far escaped in the real world.
    
    So, now, which vendors are up to the challenge?
    
    Thanks,
    
    
    Ron DuFresne
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    "Cutting the space budget really restores my faith in humanity.  It
    eliminates dreams, goals, and ideals and lets us get straight to the
    business of hate, debauchery, and self-annihilation." -- Johnny Hart
    	***testing, only testing, and damn good at it too!***
    
    OK, so you're a Ph.D.  Just don't touch anything.
    
    
    
    _______________________________________________
    Full-Disclosure - We believe in it.
    Full-Disclosureat_private
    http://lists.netsys.com/mailman/listinfo/full-disclosure
    



    This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 22:55:15 PDT