June 12th, 2003, 04:22 PM
RFC: Vulnerability Reporting Process
A group of security research firms (Foundstone, @Stake, Guardent, ISS and more) formed the Organization for Internet Safety (OIS) in 2001. Other firms such as Oracle, Network Associates and Symantec have since jumped on board.
They have created a draft document called Security Vulnerability Reporting and Response Process (download PDF ). The idea is to set some sort of guidelines or standards to be used by individual researchers and research firms for how to go about reporting vulnerabilities in a secure and professional manner that does not disclose the vulnerability prematurely to the general public.
The document has been released publicly and they are soliciting comments and feedback on the draft. The deadline for comments is July 7, 2003.
For more information on OIS you can visit this FAQ page: Click Here
June 12th, 2003, 04:28 PM
Wow, that actually took off? I was wondering what happened with that doc.
Have you had a chance to really pan through it? The last rev I saw looked a little rough but that was ages ago, well, in comuter time that is.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
June 12th, 2003, 04:48 PM
Any one else thinking that this is a bad idea..or is that jst me? A number of companies (Sun, MS bing the biggest examples) have shown an unwillingness to patch software until someone forces their hand and posts the vulnerability. Hopefuly bugtraq and NTbugtraq don't sing on to this crap..thank god for full disclosure.
Who is more trustworthy then all of the gurus or Buddha’s?
June 12th, 2003, 05:02 PM
this sounds just like when richard clarke and howard schmidt went around with the other document. i was fortunate enough to get invited at their stanford meeting (met Whit Diffie, that was my highlight)... but let's see where all these "initiatives" go...