[16580] in bugtraq
Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634
daemon@ATHENA.MIT.EDU (Martin Sheppard)
Tue Sep 5 13:43:00 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <4.3.2.7.0.20000905171123.00c8a3e0@pop.dhn.csiro.au>
Date: Tue, 5 Sep 2000 17:17:41 +0930
Reply-To: Martin Sheppard <martin.sheppard@HSN.CSIRO.AU>
From: Martin Sheppard <martin.sheppard@HSN.CSIRO.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200009050356.VAA40419@harmony.village.org>
At 21:56 4/09/00 -0600, Warner Losh wrote:
>What's really needed is a vulnerability stamping service :-). In the
>coin collecting community, there are trusted parties that will encase
>a coin in lucite and engrave the date and their "mark" to show that
>this coin was encased in lucite on thus and such a date (or was given
>to them to be so encased on the date, it varies). This can be useful
>in the coin collecting community to establish that a certain coin was
>first of its type to enter circulation, etc. Maybe something similar
>is needed in the security community to strongly encourage advisory
>writers from acting prematurely because that's the only way to call
>"dibs" on a given vulnerability. For it to be truly effective it has
>to be done on a massive scale and get the word out to everybody in the
>community. It won't help people that release these things just to
>cause trouble, but it might take some of the pressure off.
Actually, this is surprisingly easy to do. As soon as the vulnerability is
discovered, a description is written and stored in a text file. The md5
hash of the text file is then be posted to bugtraq, or whatever other
public forum you like, to mark the date when it was discovered. After the
vendor releases a patch you can release the description and anyone can
verify when it was discovered by looking at the date when the md5 hash was
published.
--
Martin Sheppard
Systems Administrator
CSIRO Health Sciences and Nutrition
Ph: (08) 8303 8812
