Full vs. Responsible Disclosure of Vulnerabilities

From CyberSecurity
Revision as of 21:05, 11 November 2005 by Tonychan (talk | contribs)

Jump to: navigation, search

http://en.wikipedia.org/wiki/Full_disclosure


  • What are software/hardware vulnerabilities?
  • Why should we disclose the vulnerabilities?
  • What kinds of peoples would discover the vulnerabilities?
  • What kinds of peoples would take the advantage of vulnerabilities?
  • Once people discover vulnerabilities, how much should they disclose (full/partial)? Who should they disclose to (public/government/academic-research/manufacturer-only)? When should they disclose?
  • What constitute a responsible disclosure?
  • Does it mean safe if people responsibly disclose the vulnerabilities?
  • If the software/hardware manufacturer cannot fix the vulnerabilities in reasonable time, should the academic/research communities step in and help?
  • Does “Open Source” necessarily mean full disclosure?
  • Comparing the disclosure of vulnerabilities to other non-cyber subjects, i.e. health, environment
  • Should we have a public committee to manage/control the info flow of vulnerabilities?
  • Would a limited disclosure work? Once a patch is release, hackers can apply reverse-engineering to understand the vulnerabilities.
Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Full_vs._Responsible_Disclosure_of_Vulnerabilities&oldid=2695"