Difference between revisions of "Full vs. Responsible Disclosure of Vulnerabilities"

Revision as of 20:59, 11 November 2005

What are software/hardware vulnerabilities?
Why should we disclose the vulnerabilities?
What peoples discover the vulnerabilities?
What peoples take the advantage of vulnerabilities?
Once people discover vulnerabilities, how much should they disclose (full/partial)? Who should they disclose to (public/government/academic-research/manufacturer-only)? When should they disclose?
What constitute a responsible disclosure?
Does “Open Source” necessarily mean full disclosure?
Comparing the disclosure of vulnerabilities to other non-cyber subjects, i.e. health, environment
Should we have a public committee to manage/control the info flow of vulnerabilities?
Would a limited disclosure work? Once a patch is release, hackers can apply reverse-engineering to understand the vulnerabilities.

@@ Line 6: / Line 6: @@
 * What peoples discover the vulnerabilities?
 * What peoples take the advantage of vulnerabilities?
-* Once people discover vulnerabilities, how much should they disclose (full/partial)?  Who should they disclose to (public/academic/manufacturer-only)? When should they disclose?
+* Once people discover vulnerabilities, how much should they disclose (full/partial)?  Who should they disclose to (public/government/academic-research/manufacturer-only)? When should they disclose?
 * What constitute a responsible disclosure?
 * Does “Open Source” necessarily mean full disclosure?
 * Comparing the disclosure of vulnerabilities to other non-cyber subjects, i.e. health, environment
-* Should we have a public committee to manage/control the info of vulnerabilities?
+* Should we have a public committee to manage/control the info flow of vulnerabilities?
+* Would a limited disclosure work?  Once a patch is release, hackers can apply reverse-engineering to understand the vulnerabilities.