Difference between revisions of "Full vs. Responsible Disclosure of Vulnerabilities"

Revision as of 22:44, 11 November 2005

What are software/hardware vulnerabilities?
Why should we disclose the vulnerabilities?
What kinds of peoples would discover the vulnerabilities?
What kinds of peoples would take the advantage of vulnerabilities?
Once people discover vulnerabilities, how much should they disclose (full/partial)? Who should they disclose to (public/government/academic-research/manufacturer-only)? When should they disclose?
What constitute a responsible disclosure?
Does it mean safe if people responsibly disclose the vulnerabilities?
If the software/hardware manufacturer cannot fix the vulnerabilities in reasonable time, should the academic/research communities step in and help?
Does “Open Source” necessarily mean full disclosure?
Comparing the disclosure of vulnerabilities to other non-cyber industries, i.e. health, environment, food...
Discuss some examples of non-responsible disclosure and their result/affect.
Should we have a public committee to manage/control the info flow of vulnerabilities?
As mentioned by one of the speakers on 11/9, hackers usually won’t go for discovering new vulnerabilities. After a patch is released by manufacturer, hackers can apply reverse-engineering to understand the vulnerabilities. Would a limited disclosure work?
Should we do a better job on notifying/educating the public/consumers about vulnerabilities? Why people should care? What they should do?

@@ Line 2: / Line 2: @@
 * [http://en.wikipedia.org/wiki/RFPolicy RFPolicy]
 * [http://scholar.google.com/scholar?hl=en&lr=&q=cache:-nRocEJWmvQJ:www.giac.org/practical/GSEC/Stephen_Shepherd_GSEC.pdf+%22full+disclosure%22+responsible+vulnerabilities Vulnerability Disclosure, SANS Institute 2003]
+* [http://scholar.google.com/scholar?hl=en&lr=&q=%22full+disclosure%22+responsible+vulnerabilities Google Scholar search]