[15317] in bugtraq
RFPolicy for vulnerability disclosure
daemon@ATHENA.MIT.EDU (rain forest puppy)
Mon Jun 12 20:43:39 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10006121843380.21868-100000@eight.wiretrip.net>
Date: Mon, 12 Jun 2000 18:51:26 -0500
Reply-To: rain forest puppy <rfp@WIRETRIP.NET>
From: rain forest puppy <rfp@WIRETRIP.NET>
X-To: win2ksecadvice@listserv.ntsecurity.net, jericho@attrition.org,
vuln-dev@securityfocus.com, ntbugtraq@listserv.ntbugtraq.com
To: BUGTRAQ@SECURITYFOCUS.COM
I'm not sure if anyone would be interested, but I thought I would give it
a whirl anyway just in case....
I just posted what I've dubbed as 'RFPolicy'. RFPolicy is an inititive to
help establish concrete guidelines for disclosure of security problems.
This was prompted due to many recent responses from vendors such as "we
were never given a chance", or "there is an 'unwritten' standard of
notifying the vendor X days ahead of time", etc.
My intent is not to push this policy onto the community. Everyone can
obviously do whatever they feel like. But *I* will be using this
disclosure policy in all future security disclosures, and I encourage
anyone wishing to use or modify it, to do so.
Feedback on the policy is also welcome. It can be found at:
http://www.wiretrip.net/rfp/policy.html
Thanks,
- rain forest puppy
