|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Vulnerability discovery credits, vendor acknoweldgement, and CVE
Adam Shostack said: >Alice takes her description of the problem, hashes it, and publishes >the hash result in a widely archived forum. (I'd suggest Bugtraq or >NTbugtraq, if their moderators are willing to let these through.) If >Bob cheats, Alice publishes the file containing the description, and >anyone can see that she had that description when she published the >hash. This exact sort of solution was suggested in Bugtraq a few weeks ago (I can dig up the reference later). I'm considering offering it as part of candidate reservation and including it in the (otherwise content-free) description for reserved candidates. That still doesn't solve the problem of people trusting *me*, however, but they can just give me the hash without the details. I can see there being a neutral (for some value of neutral) web site whose sole job is to register a hash and the time at which it was reserved. With respect to Marcus' comments, it is clear that some vulnerability discoverers want proper credit for discovering something, and it is becoming a more common practice (consider Microsoft's acknowledgement policy and recent SGI advisories). If a discoverer has a way of registering that they knew about a vulnerability first, then maybe they can be more patient with the vendor. While we're on the topic, a neutral third party who is part of the disclosure between discoverer and vendor will be able to minimize the "he said, she said" finger-pointing that goes on when the discoverer claims that the vendor didn't respond, and the vendor claims that they were never notified. This in turn could help make it more clear when a vendor is aware of, and has fixed, the vulnerability. 60% of all active CVE candidates don't have any concrete vendor acknowledgement, at least since I started recording it for CAN-1999-0671 and later. The precentage is probably higher if you consider the 300+ candidates still remaining from the draft CVE. I've had to delve into logs or readme's to find some acknowledgement. My personal hope is that the Security Focus and ICSA/NTBugtraq advisory writing services will be able to play this role. There are also evolving standards in vendor notification and public disclosure, e.g. Rain Forest Puppy's RFPolicy, and the upcoming vulnerability disclosure summit involving Guardent, eWeek, Security Focus, Symantec, MITRE, and others. (See http://www.guardent.com/pr2000-09-19-vulsum.html for the press announcement; I'll be the MITRE rep. attending). - Steve
|
||||
