Re: Status of draft-christey-wysopal-vuln-disclosure-00.txt
Chris Wysopal <cwysopal@atstake.com> Mon, 30 December 2002 19:56 UTC
Received: from ran.ietf.org (ran.ietf.org [10.27.6.60]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA00721; Mon, 30 Dec 2002 14:56:23 -0500 (EST)
Received: from majordomo by ran.ietf.org with local (Exim 4.10) id 18T5zE-00037J-00 for ietf-list@ran.ietf.org; Mon, 30 Dec 2002 14:54:08 -0500
Received: from odin.ietf.org ([10.27.2.28] helo=ietf.org) by ran.ietf.org with esmtp (Exim 4.10) id 18Rgt0-0004lt-00 for ietf@ran.ietf.org; Thu, 26 Dec 2002 17:53:54 -0500
Received: from porfidio.atstake.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA16877 for <ietf@ietf.org>; Thu, 26 Dec 2002 17:48:23 -0500 (EST)
Message-ID: <3E0B8713.1040906@atstake.com>
Date: Thu, 26 Dec 2002 17:47:47 -0500
From: Chris Wysopal <cwysopal@atstake.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1) Gecko/20020826
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Valdis.Kletnieks@vt.edu, jasonc@science.org, coley@mitre.org, dee3@torque.pothole.com, ietf@ietf.org, kre@munnari.OZ.AU, info@knowngoods.org, Bruce Schneier <schneier@counterpane.com>, cert@cert.org, Clinton Kreitner <kreitner@home.com>, Alan Paller <AlanPaller@aol.com>, Hal Pomeranz <hal@deer-run.com>
Subject: Re: Status of draft-christey-wysopal-vuln-disclosure-00.txt
References: <ILEPILDHBOLAHHEIMALBIEDAEHAA.jasonc@science.org> <200212261833.gBQIXCb1003620@turing-police.cc.vt.edu> <87y96cd14p.fsf@deneb.enyo.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: owner-ietf@ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit
Florian Weimer wrote: >However, this is now a strawman. The document has clearly been >overtaken by events (if it has ever been up-to-date). For example, it >ignores that currently, those people who are expected to play the role >of Coordinators usually provide paid prepublication access to >vulnerability information. The draft does not require Coordinators to >keep the information they receive strictly confidental, but I'm not >sure if this was the intent of the authors or just an oversight. > I was not aware of the paid prepublication access that some coordinators provide at the time the draft was written. I don't know if Steve knew this. This was an new concept at the time. I have heard that CERT is willing to keep researcher submissions confidential if requested. But this is second hand knowledge. To clarify the draft, it was not our intention to delve too deeply into standardizing coordinator behavior since the issues are many. We also scoped the document to not touch the issue of disclosure content. My thoughts on coordinator behavior would be to keep the information confidential amongst researcher, coordinator, and potentially affected vendors. Every party that receives prepublication information increases the the risk to the Internet as a whole while decreasing it for the party. Information is bound to leak as more parties are added to the prepublication list. Prepublication is not a black or white issue. There are some organizations that prepublish minimal information such as the software and version affected by a vulnerability and perhaps workaround information. This is what ISS does. I have heard secondhand that CERT prepublication information is much more detailed. I could see a market for prepublication exploit code. There is also the issue of what kind of organizations are allowed to join a prepublication group and what are the contractual limits of what they can do with the information they receive. For instance, can a security consulting company subscribe to the prepublication group and then use the information to protect their customers? There are many nuances once you allow prepublication. Cheers, Chris
- Status of draft-christey-wysopal-vuln-disclosure-… Florian Weimer
- Re: Status of draft-christey-wysopal-vuln-disclos… Donald Eastlake 3rd
- Re: Status of draft-christey-wysopal-vuln-disclos… Robert Elz
- Re: Status of draft-christey-wysopal-vuln-disclos… Florian Weimer
- Re: Status of draft-christey-wysopal-vuln-disclos… Jason Coombs
- RE: Re: Status of draft-christey-wysopal-vuln-dis… Jason Coombs
- Re: Status of draft-christey-wysopal-vuln-disclos… Valdis.Kletnieks
- Re: Status of draft-christey-wysopal-vuln-disclos… Florian Weimer
- Re: Status of draft-christey-wysopal-vuln-disclos… Valdis.Kletnieks
- Re: Status of draft-christey-wysopal-vuln-disclos… Florian Weimer
- Re: Status of draft-christey-wysopal-vuln-disclos… Chris Wysopal
- Re: Status of draft-christey-wysopal-vuln-disclos… Steven M. Christey
- Re: Status of draft-christey-wysopal-vuln-disclos… Bruce Schneier