RFC: Vulnerability Reporting Process
Results 1 to 4 of 4

Thread: RFC: Vulnerability Reporting Process

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    RFC: Vulnerability Reporting Process

    A group of security research firms (Foundstone, @Stake, Guardent, ISS and more) formed the Organization for Internet Safety (OIS) in 2001. Other firms such as Oracle, Network Associates and Symantec have since jumped on board.

    They have created a draft document called Security Vulnerability Reporting and Response Process (download PDF ). The idea is to set some sort of guidelines or standards to be used by individual researchers and research firms for how to go about reporting vulnerabilities in a secure and professional manner that does not disclose the vulnerability prematurely to the general public.

    The document has been released publicly and they are soliciting comments and feedback on the draft. The deadline for comments is July 7, 2003.

    For more information on OIS you can visit this FAQ page: Click Here

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Wow, that actually took off? I was wondering what happened with that doc.

    Have you had a chance to really pan through it? The last rev I saw looked a little rough but that was ages ago, well, in comuter time that is.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Any one else thinking that this is a bad idea..or is that jst me? A number of companies (Sun, MS bing the biggest examples) have shown an unwillingness to patch software until someone forces their hand and posts the vulnerability. Hopefuly bugtraq and NTbugtraq don't sing on to this crap..thank god for full disclosure.
    Who is more trustworthy then all of the gurus or Buddha’s?

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    115
    this sounds just like when richard clarke and howard schmidt went around with the other document. i was fortunate enough to get invited at their stanford meeting (met Whit Diffie, that was my highlight)... but let's see where all these "initiatives" go...

    -w0rm3y

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides