On Fri, 17 Dec 2004, security curmudgeon wrote: > > In each case, Professor Bernstein notified the author of the vulnerable > package on Dec 15 via e-mail. This mail hit Bugtraq on the 16th, giving > one day for vendors to provide fixes. > > Is the class on responsible disclosure next semester perhaps? To be honest, I was pleasantly surprised that DJB had bothered to contact the authors at all. He once said, in a discussion about the securesoftware mailing list, which he touted at the time as a competitor to bugtraq: "Immediate full disclosure, with a working exploit, punishes the programmer for his bad code. He panics; he has to rush to fix the problem; he loses users. You're whining that punishment is painful. You're ignoring the effect that punishment has on future behavior. It encourages programmers to invest the time and effort necessary to eliminate security problems." http://groups-beta.google.com/group/comp.security.unix/msg/e576548f53195b01 By which standard, 24 hours is the height of responsibility. Admittedly, the vulnerabilities were notified to the securesoftware list (http://securesoftware.list.cr.yp.to/archives.html) concurrently with author notification, but since there have been only 57 messages sent to that list in the last three years, 44 of which were the student discovered vulnerabilities themselves, I doubt it has a large readership ;-) The actual notifications to the world (via slashdot and later bugtraq) don't seem necessarily to have occurred at DJB's instigation, so he may have been intending to give the authors a chance after all. Notwithstanding all that, the course itself seems like an excellent idea to me, and it will be interesting to see if useful statistics on the rates incidence of security holes in software, and techniques for detecting them and, ideally, preventing their inclusion in the first place, come out of it. Julian -- Julian T. J. Midgley http://www.xenoclast.org/ Cambridge, England. PGP: BCC7863F FP: 52D9 1750 5721 7E58 C9E1 A7D5 3027 2F2E BCC7 863F