[9726] in bugtraq
Administrivia
daemon@ATHENA.MIT.EDU (Aleph One)
Mon Feb 22 13:58:12 1999
Date: Mon, 22 Feb 1999 10:10:30 -0800
Reply-To: Aleph One <aleph1@UNDERGROUND.ORG>
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@NETSPACE.ORG
Full Disclosure Debate
I did say I would kill this thread come Monday. So thats what I doing.
I'll leave you with a little something from the (unreleased) BugTraq
FAQ:
1.9 What is the proper protocol when report a security vulnerability?
Everyone has a different opinion on what is the proper protocol. A sensible
protocol to follow when reporting a security vulnerability is as follows:
a) Contact the product's vendor or maintainer and give them a one or two week
period to respond. Make sure you ask for a reply. You may also want to contact
CERT, if for no other reason than to have them keep statistics. If they don't
respond post to the list.
b) If you do hear from the vendor give them what you consider appropriate time
to fix the vulnerability. This will depend on the vulnerability and the
product. It's up to you to make and estimate. If they don't respond in time
post to the list.
c) If they contact you asking for more time consider extending the deadline in
good faith. If they continually fail to meet the deadline post to the list.
When is it advisable to post to the list without contacting the vendor?
a) When you cannot find a contact within the vendor to make a report.
b) When the product is no longer actively supported.
c) When you believe the vulnerability to be actively exploited and not
informing the community as soon as possible would cause more harm then good.
All this being said, we rather have people report vulnerabilities to the list
and not inform the vendors, whatever their reasons may be, than to have them
keep the information to themselves.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
