On Wed, 2002-07-31 at 10:48, Jose Nazario wrote:
> > 4) R attempts communication several times over the next 90 days, but
> > never receives a response.
>
> if the researcher doesn't attempt to work with an established third party
> (ie CERT, SecurityFocus) to get this contact made, they are acting in an
> irresponsible fashion. at least the researcher waited 90 days, though.
Refusing to work with an "established third party" does not constitute
"irresponsible behavior". Arguably it does make the process smoother
when a third party is used, but should not a litmus test for the proper
way to notify a vendor, or any other purveyor of software or hardware.
There are many researchers who do this work outside of any organization
for any number of reasons including questioning the motives of
commercial security companies to disagreeing with directional statements
from non-commercial entities. Regardless of the reason... very credible
work has been performed by lone individuals and we would be re-miss in
casting doubt on their methods and loose that advantage.
Established guidelines, that everyone can follow across organizational
boundaries, are the best solution. Contact addresses, expectations of
both the vendor and the researcher, and methodologies for distribution
of a solution should be public knowledge and defined broadly by
standards.
Each vendor should also publish their own expectations with regard to
handling vulnerabilities and bugs. Specifically, they should state where
they are diverging from the aforementioned standards. In this way, the
researcher knows what he or she is getting into by notifying the vendor.
This doesn't mean that each vendor should have their own, unique
policies, but make it clear so that responsible individuals can do their
best to adhere to the ideas set forth and thus prevent threatening
letters.
--
- branson
-------------------------------------------------------------------------------
Branson Matheson " If you are falling off of a mountain,
Systems Consultant You may as well try to fly."
Windborne, Inc. - Delenn, Minbari Ambassador
( $statements = <BRANSON> ) !~ /Company Opinion/;
