FORENSICS.ORG Security Coordinator wrote:
> On a related subject, everyone involved in the process of computer security
> vulnerability discovery, disclosure, and software bug fixes should take a
> moment to familiarize themselves with the internet draft of the Responsible
> Vulnerability Disclosure Process, and in particular note the important role
> of a third-party "coordinator" in cases where any party involved in the
> process needs help communicating with any other party to ensure proper
> handling and comprehensive understanding of complex technical materials:
>
> http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-0
> 0.txt
>
> Most vulnerability disclosures occur today without comprehensive
> cross-vendor research facilitated by a coordinator. Our group of forensic
> experts makes its members available to function as Security Coordinators to
> any party who needs this type of technical assistance.
>
I am getting tired with speculations about this draft which the IETF did not
approve.
So in the case with DNS browser fun, Microsoft denied this to be a problem, so
some good coordinator should try to convince them that this is really a bug and
they should be so kind to fix it, or am I missing something?
Or is the idea the coordinator to sell the info early?
What about the following: me becoming the personal coordinator of forensics.org
(without any obligations on my part, of course), i.e. whenever forencics.org
becomes aware of a 0day, they notify me about the 0day with full details?
In case you have missed it, some people quite disagree with the draft, check:
http://lists.netsys.com/pipermail/full-disclosure/2002-August/000822.html
Georgi Guninski
http://www.guninski.com
> On a related subject, everyone involved in the process of computer security
> vulnerability discovery, disclosure, and software bug fixes should take a
> moment to familiarize themselves with the internet draft of the Responsible
> Vulnerability Disclosure Process, and in particular note the important role
> of a third-party "coordinator" in cases where any party involved in the
> process needs help communicating with any other party to ensure proper
> handling and comprehensive understanding of complex technical materials:
>
> http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-0
> 0.txt
>
> Most vulnerability disclosures occur today without comprehensive
> cross-vendor research facilitated by a coordinator. Our group of forensic
> experts makes its members available to function as Security Coordinators to
> any party who needs this type of technical assistance.
>
I am getting tired with speculations about this draft which the IETF did not
approve.
So in the case with DNS browser fun, Microsoft denied this to be a problem, so
some good coordinator should try to convince them that this is really a bug and
they should be so kind to fix it, or am I missing something?
Or is the idea the coordinator to sell the info early?
What about the following: me becoming the personal coordinator of forensics.org
(without any obligations on my part, of course), i.e. whenever forencics.org
becomes aware of a 0day, they notify me about the 0day with full details?
In case you have missed it, some people quite disagree with the draft, check:
http://lists.netsys.com/pipermail/full-disclosure/2002-August/000822.html
Georgi Guninski
http://www.guninski.com