|
Message-ID: <BSTa0xkd6PUstoK62HXIf9i3UbZq_tCsSclHxAN7KTx3C1KFs-sF5C7ob4tsKCoYkw9Tb-axNViD4GKkd-VvX8g163zTLOvsngO4-M3jlus=@itk.swiss> Date: Fri, 26 Jan 2018 10:23:49 -0500 From: Stiepan <stie@....swiss> To: mjo@...o.mi.org, oss-security@...ts.openwall.com Subject: Re: How to deal with reporters who don't want their bugs fixed? With the risk of displeasing the supporters of a "common sense" approach to this topic, I think that clear rules might be welcome: We as a profession should have a clear code of ethics just like physicians do, instead of relying on the parties' social engineering skills to set the outcome of this kind of issue. End users would thank us and the profession's image could evolve from pirate in a garage to a respectable one (by the majority). Just like barbers became surgeons after some time, to keep the medical analogy. There are of course precedents, such as the privacy professionals' code of conduct, to name one as an example (leaning towards secret keeping), but we lack an universal ethics' code, which would not be bound to a private certification body and would put the end user's interests first. I have yet to find something of the like, with broad applicability to the ICT Security profession(s), but I would love to be corrected! -------- Mensaje original -------- On 24 ene. 2018 4:02, Mike O'Connor escribió: > :Subject says it all: What do you do if you receive a vulnerability report, :and the reporter requests an embargo at some time in the future because :that's when their paper/conference presentation/patent submission is :scheduled? : :The obvious approach is to find a prior public report of essentially the same :bug and fix that (which will work surprisingly often), but let's assume that :this isn't the case. Well, does the embargo add value for the consumers of the product? That had historically been my guideline, when I've had to make that call. Will it improve the fix, documentation, delivery mechanisms, etc. Sometimes, the answer is "yes". Other times, not so much or it's fairly indeterminate. You don't always know all the facts, or all the players, you're left with educated guessing. Sometimes, you can persuade researchers to a vendor-friendly point of view on disclosure by simply asking them if they think this is in the best interests of the users. Other times, you work with someone who cares more about adding a CVE and|or bounty to their resume, or they are disingenuous or simply incapable of keeping secrets. If there's evidence of open exploitation, all bets should be off and that should be stated up front. At that point, of course, it ceases adding value. An agreed disclosure date does not generally amount to an NDA or the like. -Mike -- Michael J. O'Connor mjo@...o.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "The defendant pleaded exterminating circumstances." -Anguished English
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.