IETF Logo Mail Archive

Re: Status of draft-christey-wysopal-vuln-disclosure-00.txt

Chris Wysopal <cwysopal@atstake.com> Mon, 30 December 2002 19:56 UTC

Received: from ran.ietf.org (ran.ietf.org [10.27.6.60]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA00721; Mon, 30 Dec 2002 14:56:23 -0500 (EST)
Received: from majordomo by ran.ietf.org with local (Exim 4.10) id 18T5zE-00037J-00 for ietf-list@ran.ietf.org; Mon, 30 Dec 2002 14:54:08 -0500
Received: from odin.ietf.org ([10.27.2.28] helo=ietf.org) by ran.ietf.org with esmtp (Exim 4.10) id 18Rgt0-0004lt-00 for ietf@ran.ietf.org; Thu, 26 Dec 2002 17:53:54 -0500
Received: from porfidio.atstake.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA16877 for <ietf@ietf.org>; Thu, 26 Dec 2002 17:48:23 -0500 (EST)
Message-ID: <3E0B8713.1040906@atstake.com>
Date: Thu, 26 Dec 2002 17:47:47 -0500
From: Chris Wysopal <cwysopal@atstake.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1) Gecko/20020826
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Valdis.Kletnieks@vt.edu, jasonc@science.org, coley@mitre.org, dee3@torque.pothole.com, ietf@ietf.org, kre@munnari.OZ.AU, info@knowngoods.org, Bruce Schneier <schneier@counterpane.com>, cert@cert.org, Clinton Kreitner <kreitner@home.com>, Alan Paller <AlanPaller@aol.com>, Hal Pomeranz <hal@deer-run.com>
Subject: Re: Status of draft-christey-wysopal-vuln-disclosure-00.txt
References: <ILEPILDHBOLAHHEIMALBIEDAEHAA.jasonc@science.org> <200212261833.gBQIXCb1003620@turing-police.cc.vt.edu> <87y96cd14p.fsf@deneb.enyo.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: owner-ietf@ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit


Florian Weimer wrote:

>However, this is now a strawman.  The document has clearly been
>overtaken by events (if it has ever been up-to-date).  For example, it
>ignores that currently, those people who are expected to play the role
>of Coordinators usually provide paid prepublication access to
>vulnerability information.  The draft does not require Coordinators to
>keep the information they receive strictly confidental, but I'm not
>sure if this was the intent of the authors or just an oversight.
>
I was not aware of the paid prepublication access that some coordinators 
provide at the time the draft was written.  I don't know if Steve knew 
this.  This was an new concept at the time. I have heard that CERT is 
willing to keep researcher submissions confidential if requested. But 
this is second hand knowledge.

To clarify the draft, it was not our intention to delve too deeply into 
standardizing coordinator behavior since the issues are many. We also 
scoped the document to not touch the issue of disclosure content.  

My thoughts on coordinator behavior would be to keep the information 
confidential amongst researcher, coordinator, and potentially affected 
vendors. Every party that receives prepublication information increases 
the the risk to the Internet as a whole while decreasing it for the 
party. Information is bound to leak as more parties are added to the 
prepublication list.  

Prepublication is not a black or white issue.  There are some 
organizations that prepublish minimal information such as the software 
and version affected by a vulnerability and perhaps workaround 
information.  This is what ISS does.  I have heard secondhand that CERT 
prepublication information is much more detailed. I could see a market 
for prepublication exploit code. There is also the issue of what kind of 
organizations are allowed to join a prepublication group and what are 
the contractual limits of what they can do with the information they 
receive. For instance, can a security consulting company subscribe to 
the prepublication group and then use the information to protect their 
customers?  There are many nuances once you allow prepublication.

Cheers,

Chris

v2.23.0 | Report a Bug | By Email