Security threats Toolkit
Story: Security exploits: Who's to blame?
Posted by: Arthur B. (Tuesday 6 September 2005, 8:42 PM)
Vendors shouldn't lay down security related disclosure rules. Period.
When a researcher finds a flaw he/she should post it in full on a special members only disclosure list and 30 days after the same information should be posted on a public list by someone else. End of story.
That should motivate vendors and researchers alike to be very carefull as to what they publish (or sell on the markets). As well as making sure that they follow up with all required resources.
Don't like? Then make sure that, 1, you don't get posted or, 2, that if you get posted you can fix things within 30 days.
Nothing is perfect. We all know that. So make sure that you're prepared to handle inperfections in a timely matter. In fact, that aspect should have been part of the general design.
The only two constants in IT are: damage and change. So master that. The rest will be part of history sooner or later.
Full Talkback thread
Story: Security exploits: Who's to blame?
-
Vendors shouldn't lay down security related disclo... Arthur B. -
There's plenty of blame to go around.
The software... Peter P Sadlon
Back to: Security exploits: Who's to blame?
