Re: Status of draft-christey-wysopal-vuln-disclosure-00.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Florian Weimer wrote:

However, this is now a strawman.  The document has clearly been
overtaken by events (if it has ever been up-to-date).  For example, it
ignores that currently, those people who are expected to play the role
of Coordinators usually provide paid prepublication access to
vulnerability information.  The draft does not require Coordinators to
keep the information they receive strictly confidental, but I'm not
sure if this was the intent of the authors or just an oversight.

I was not aware of the paid prepublication access that some coordinators provide at the time the draft was written. I don't know if Steve knew this. This was an new concept at the time. I have heard that CERT is willing to keep researcher submissions confidential if requested. But this is second hand knowledge.

To clarify the draft, it was not our intention to delve too deeply into standardizing coordinator behavior since the issues are many. We also scoped the document to not touch the issue of disclosure content.
My thoughts on coordinator behavior would be to keep the information confidential amongst researcher, coordinator, and potentially affected vendors. Every party that receives prepublication information increases the the risk to the Internet as a whole while decreasing it for the party. Information is bound to leak as more parties are added to the prepublication list.
Prepublication is not a black or white issue. There are some organizations that prepublish minimal information such as the software and version affected by a vulnerability and perhaps workaround information. This is what ISS does. I have heard secondhand that CERT prepublication information is much more detailed. I could see a market for prepublication exploit code. There is also the issue of what kind of organizations are allowed to join a prepublication group and what are the contractual limits of what they can do with the information they receive. For instance, can a security consulting company subscribe to the prepublication group and then use the information to protect their customers? There are many nuances once you allow prepublication.

Cheers,

Chris





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux