Difference between revisions of "Full vs. Responsible Disclosure of Vulnerabilities"
From CyberSecurity
m |
m |
||
| Line 1: | Line 1: | ||
* [http://en.wikipedia.org/wiki/Full_disclosure Wikipedia: Full Disclosure] | * [http://en.wikipedia.org/wiki/Full_disclosure Wikipedia: Full Disclosure] | ||
* [http://en.wikipedia.org/wiki/RFPolicy RFPolicy] | * [http://en.wikipedia.org/wiki/RFPolicy RFPolicy] | ||
| + | * [http://scholar.google.com/scholar?hl=en&lr=&q=cache:-nRocEJWmvQJ:www.giac.org/practical/GSEC/Stephen_Shepherd_GSEC.pdf+%22full+disclosure%22+responsible+vulnerabilities Vulnerability Disclosure, SANS Institute 2003] | ||
| + | |||
| Line 12: | Line 14: | ||
* If the software/hardware manufacturer cannot fix the vulnerabilities in reasonable time, should the academic/research communities step in and help? | * If the software/hardware manufacturer cannot fix the vulnerabilities in reasonable time, should the academic/research communities step in and help? | ||
* Does “Open Source” necessarily mean full disclosure? | * Does “Open Source” necessarily mean full disclosure? | ||
| − | * Comparing the disclosure of vulnerabilities to other non-cyber | + | * Comparing the disclosure of vulnerabilities to other non-cyber industries, i.e. health, environment, food... |
| + | * Discuss some examples of non-responsible disclosure and their result/affect. | ||
* Should we have a public committee to manage/control the info flow of vulnerabilities? | * Should we have a public committee to manage/control the info flow of vulnerabilities? | ||
* As mentioned by one of the speakers on 11/9, hackers usually won’t go for discovering new vulnerabilities. After a patch is released by manufacturer, hackers can apply reverse-engineering to understand the vulnerabilities. Would a limited disclosure work? | * As mentioned by one of the speakers on 11/9, hackers usually won’t go for discovering new vulnerabilities. After a patch is released by manufacturer, hackers can apply reverse-engineering to understand the vulnerabilities. Would a limited disclosure work? | ||
* Should we do a better job on notifying/educating the public/consumers about vulnerabilities? Why people should care? What they should do? | * Should we do a better job on notifying/educating the public/consumers about vulnerabilities? Why people should care? What they should do? | ||
Revision as of 22:43, 11 November 2005
- What are software/hardware vulnerabilities?
- Why should we disclose the vulnerabilities?
- What kinds of peoples would discover the vulnerabilities?
- What kinds of peoples would take the advantage of vulnerabilities?
- Once people discover vulnerabilities, how much should they disclose (full/partial)? Who should they disclose to (public/government/academic-research/manufacturer-only)? When should they disclose?
- What constitute a responsible disclosure?
- Does it mean safe if people responsibly disclose the vulnerabilities?
- If the software/hardware manufacturer cannot fix the vulnerabilities in reasonable time, should the academic/research communities step in and help?
- Does “Open Source” necessarily mean full disclosure?
- Comparing the disclosure of vulnerabilities to other non-cyber industries, i.e. health, environment, food...
- Discuss some examples of non-responsible disclosure and their result/affect.
- Should we have a public committee to manage/control the info flow of vulnerabilities?
- As mentioned by one of the speakers on 11/9, hackers usually won’t go for discovering new vulnerabilities. After a patch is released by manufacturer, hackers can apply reverse-engineering to understand the vulnerabilities. Would a limited disclosure work?
- Should we do a better job on notifying/educating the public/consumers about vulnerabilities? Why people should care? What they should do?
