漏洞发现学分,供应商acknoweldgement, CVE

亚当Shostack说:>爱丽丝把她的描述问题,散列,并发布>哈希导致广泛存档论坛。(我建议Bugtraq或> NTbugtraq,如果版主愿意让这些通过。)如果>鲍勃骗子,爱丽丝发布包含描述的文件,和>任何人都可以看到,这句话她当她发表>散列。这个解决方案是建议在几周前Bugtraq(稍后我可以挖掘的引用)。我考虑提供的候选人的预订,包括保留的(否则性)描述候选人。仍然没有解决的问题人们信任*我*,然而,但他们可以给我哈希没有细节。我可以看到有一个中立的(对于一些中立的价值)的网站,他们唯一的职责就是注册一个哈希和保留的时间。对马库斯的评论,很明显,一些漏洞发现者希望适当的功劳发现的东西,并成为一个更常见的做法(考虑微软承认政策和最近的SGI报告)。如果一个发现者的注册方式,他们知道一个漏洞,那么也许他们可以与供应商更有耐心。当我们的话题,一个中立的第三方的发现者和供应商之间的信息披露能够最小化“他说,她说”的指责,继续当发现者声称供应商没有回应,和供应商声称他们从来没有通知。 This in turn could help make it more clear when a vendor is aware of, and has fixed, the vulnerability. 60% of all active CVE candidates don't have any concrete vendor acknowledgement, at least since I started recording it for CAN-1999-0671 and later. The precentage is probably higher if you consider the 300+ candidates still remaining from the draft CVE. I've had to delve into logs or readme's to find some acknowledgement. My personal hope is that the Security Focus and ICSA/NTBugtraq advisory writing services will be able to play this role. There are also evolving standards in vendor notification and public disclosure, e.g. Rain Forest Puppy's RFPolicy, and the upcoming vulnerability disclosure summit involving Guardent, eWeek, Security Focus, Symantec, MITRE, and others. (Seehttp://www.guardent.com/pr2000-09-19-vulsum.html新闻公告;我将横切众议员参加)。——史蒂夫