Difference between revisions of "Full vs. Responsible Disclosure of Vulnerabilities"
From CyberSecurity
m |
m |
||
Line 4: | Line 4: | ||
* What are software/hardware vulnerabilities? | * What are software/hardware vulnerabilities? | ||
* Why should we disclose the vulnerabilities? | * Why should we disclose the vulnerabilities? | ||
− | * What peoples discover the vulnerabilities? | + | * What kinds of peoples would discover the vulnerabilities? |
− | * What peoples take the advantage of vulnerabilities? | + | * What kinds of peoples would take the advantage of vulnerabilities? |
* Once people discover vulnerabilities, how much should they disclose (full/partial)? Who should they disclose to (public/government/academic-research/manufacturer-only)? When should they disclose? | * Once people discover vulnerabilities, how much should they disclose (full/partial)? Who should they disclose to (public/government/academic-research/manufacturer-only)? When should they disclose? | ||
* What constitute a responsible disclosure? | * What constitute a responsible disclosure? | ||
+ | * Does it mean safe if people responsibly disclose the vulnerabilities? | ||
+ | * If the software/hardware manufacturer cannot fix the vulnerabilities in reasonable time, should the academic/research communities step in and help? | ||
* Does “Open Source” necessarily mean full disclosure? | * Does “Open Source” necessarily mean full disclosure? | ||
* Comparing the disclosure of vulnerabilities to other non-cyber subjects, i.e. health, environment | * Comparing the disclosure of vulnerabilities to other non-cyber subjects, i.e. health, environment | ||
* Should we have a public committee to manage/control the info flow of vulnerabilities? | * Should we have a public committee to manage/control the info flow of vulnerabilities? | ||
* Would a limited disclosure work? Once a patch is release, hackers can apply reverse-engineering to understand the vulnerabilities. | * Would a limited disclosure work? Once a patch is release, hackers can apply reverse-engineering to understand the vulnerabilities. |
Revision as of 21:05, 11 November 2005
http://en.wikipedia.org/wiki/Full_disclosure
- What are software/hardware vulnerabilities?
- Why should we disclose the vulnerabilities?
- What kinds of peoples would discover the vulnerabilities?
- What kinds of peoples would take the advantage of vulnerabilities?
- Once people discover vulnerabilities, how much should they disclose (full/partial)? Who should they disclose to (public/government/academic-research/manufacturer-only)? When should they disclose?
- What constitute a responsible disclosure?
- Does it mean safe if people responsibly disclose the vulnerabilities?
- If the software/hardware manufacturer cannot fix the vulnerabilities in reasonable time, should the academic/research communities step in and help?
- Does “Open Source” necessarily mean full disclosure?
- Comparing the disclosure of vulnerabilities to other non-cyber subjects, i.e. health, environment
- Should we have a public committee to manage/control the info flow of vulnerabilities?
- Would a limited disclosure work? Once a patch is release, hackers can apply reverse-engineering to understand the vulnerabilities.