Internet Draft: Responsible Disclosure Process

    Date20 Feb 2002
    953
    Posted ByAnthony Pell
    An Internet-Draft titled "Responsible Disclosure Process" has been released for commentary by me and Chris Wysopal of @stake. This Internet-Draft may be reviewed by members of the IETF and the general public. This is the first step towards establishing an RFC (Request for Comments) and Best Current Practices document.. . . An Internet-Draft titled "Responsible Disclosure Process" has been released for commentary by me and Chris Wysopal of @stake. This Internet-Draft may be reviewed by members of the IETF and the general public. This is the first step towards establishing an RFC (Request for Comments) and Best Current Practices document.

     Date: Wed, 20 Feb 2002 00:55:01 -0500 (EST) From: Steven M. Christey  To: This email address is being protected from spambots. You need JavaScript enabled to view it. Subject: Internet-Draft for "Responsible Disclosure Process" released  An Internet-Draft titled "Responsible Disclosure Process" has been released for commentary by me and Chris Wysopal of @stake.  This Internet-Draft may be reviewed by members of the IETF and the general public.  This is the first step towards establishing an RFC (Request for Comments) and Best Current Practices document.  This document is *not* an RFC, and it does *not* represent a commitment by the IETF to produce an RFC.  It is the first step within the IETF review process.  It should be noted that we plan to create a "sister document" that will contain recommendations for the contents of security advisories. The curent Internet-Draft is focused on how the different parties interact, not the type of information that gets published.  Abstract     New vulnerabilities in software and hardware products are discovered    and publicized on a daily basis.  The disclosure of vulnerability    information has been a divisive topic for years.  During the process    of disclosure, many vendors, security researchers, and other parties    follow a variety of unwritten or informal guidelines for how they    interact and share information.  Some parties may be unaware of these    guidelines, or they may intentionally ignore them.  This state of    affairs can make it difficult to achieve a satisfactory outcome for    everyone who uses or is affected by vulnerability information.      The purpose of this Internet-Draft is to describe best practices    for a responsible disclosure process that involves vulnerability    reporters, product vendors or maintainers, third parties, the    security community, and ultimately customers and users.  Acknowledgements     We gratefully acknowledge the constructive comments received from    several contributors.  Any errors or inconsistencies in this    Internet-Draft are solely the responsibility of the authors, and    not of the reviewers.  This document does not necessarily reflect    the opinion of the reviewers or their parent organizations.     We would like to thank Andy Balinsky, Mary Ann Davidson, Elias Levy,    Russ Cooper, Scott Blake, Seth Arnold, Rain Forest Puppy, Marcus    Ranum, Lori Woeler, Adam Shostack, Mark Loveless, Scott Culp, and    Shawn Hernan for their valuable input.   Obtaining the Internet-Draft    The Internet-Draft is accessible from the following URL:    http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt    (this URL may have been wrapped by your email client).    Note that the version number of this draft will change as it is   modifed due to public commentary.  Commenting on the Internet-Draft    Discussion of this Internet-Draft is currently taking place on the   IETF Security Area Advisory Group (SAAG) mailing list, although it   is possible that the IETF may move the discussion to another   location at a later date.    SAAG mailing list archives and subscription information can be found   at http://jis.mit.edu/mailman/listinfo/saag  The IETF and RFC process    A high-level description of the IETF and the RFC process is at   http://www.ietf.org/rfc/rfc3160.txt    Additional details on the Internet standards process are at   ftp://ftp.isi.edu/in-notes/bcp/bcp9.txt  ________________________________________________________________________  Steve Christey Lead INFOSEC Engineer The MITRE Corporation  Chris Wysopal Director of Research and Development @stake, Inc.

    LinuxSecurity Poll

    What is your favorite LinuxSecurity.com feature?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    17
    radio
    [{"id":"65","title":"Feature articles","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"66","title":"News","votes":"1","type":"x","order":"2","pct":100,"resources":[]},{"id":"67","title":"HOWTOs","votes":"0","type":"x","order":"3","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.