[技术]“负责任的披露过程”释放

大多数Chris Wysopal你知道我一直在处理产生的文档描述了一个负责任的披露过程。这是直接关系到在以下方式:CVE -董事会已经同意,必须不应该储备候选人不练习的人负责任的披露(候选人将被分配后* *出版)。我希望这个文档,或之后的版本,将成为负责任的“定义”披露的一部分。——50%的漏洞报告由供应商没有明确地承认,这直接影响投票的候选人。——我开始公开讨论更多,在这里和其他地方,披露有其他影响CVE内容。下面的声明。——史蒂夫Internet-Draft题为“负责任的披露过程”已经发布供我和Chris Wysopal @stake评论。这种Internet-Draft可能由IETF和公众的成员。这是第一步建立一个RFC(注释请求)和最佳当前实践文档。*不* RFC文档,它*不*代表承诺由IETF RFC。 It is the first step within the IETF review process. It should be noted that we plan to create a "sister document" that will contain recommendations for the contents of security advisories. The curent Internet-Draft is focused on how the different parties interact, not the type of information that gets published. Abstract New vulnerabilities in software and hardware products are discovered and publicized on a daily basis. The disclosure of vulnerability information has been a divisive topic for years. During the process of disclosure, many vendors, security researchers, and other parties follow a variety of unwritten or informal guidelines for how they interact and share information. Some parties may be unaware of these guidelines, or they may intentionally ignore them. This state of affairs can make it difficult to achieve a satisfactory outcome for everyone who uses or is affected by vulnerability information. The purpose of this Internet-Draft is to describe best practices for a responsible disclosure process that involves vulnerability reporters, product vendors or maintainers, third parties, the security community, and ultimately customers and users. Acknowledgements We gratefully acknowledge the constructive comments received from several contributors. Any errors or inconsistencies in this Internet-Draft are solely the responsibility of the authors, and not of the reviewers. This document does not necessarily reflect the opinion of the reviewers or their parent organizations. We would like to thank Andy Balinsky, Mary Ann Davidson, Elias Levy, Russ Cooper, Scott Blake, Seth Arnold, Rain Forest Puppy, Marcus Ranum, Lori Woeler, Adam Shostack, Mark Loveless, Scott Culp, and Shawn Hernan for their valuable input. Obtaining the Internet-Draft The Internet-Draft is accessible from the following URL:http://www.ietf.org/internet - drafts/draft christey wysopal - vuln披露- 00. - txt(这个URL可能是被你的邮件客户端)包装。注意,这个草案的版本号将会改变,因为它是modifed由于公众评论。评论的Internet-Draft讨论Internet-Draft目前发生在IETF安全领域咨询小组(菠菜)邮件列表,尽管它是IETF可能移动到另一个位置的讨论在稍后的日期。SAAG邮件列表档案和订阅信息可以找到http://jis.mit.edu/mailman/listinfo/saagIETF RFC过程和IETF RFC的高层描述过程http://www.ietf.org/rfc/rfc3160.txt其他详细信息在互联网上的标准过程ftp://ftp.isi.edu/in-notes/bcp/bcp9.txt________________________________________________________________________史蒂夫Christey斜接公司领导的信息安全工程师研发@stake主任Chrmanbetx客户端首页is Wysopal Inc .)