amuse,

Reminder, "Responsible Disclosure" is still an emotional value-laden way to refer to reporting vulns to vendors for fixing.

The ISO standard is called "Coordinated Vulnerability Disclosure" and that's what we should be calling it. :)

adulau,

@amuse We still call it responsible based on the past experience where irresponsibility is still unfortunately a regular practice.

https://circl.lu/pub/responsible-vulnerability-disclosure/ @circl

amuse,

@adulau @circl when you say irresponsibility is a regular practice, who is being irresponsible specifically and what action are they taking that's not responsible?

adulau,

@amuse Some vendors who don’t take seriously vulnerability disclosure. Some security researchers reselling the vulnerability while doing disclosure via a CERT to claim they are ethicals. Too many vulnerability disclosure platforms having two (or more) business plans (reselling CVD to customers while selling exploits). So we are still far away for clean and smooth vulnerability disclosure process. @circl

amuse,

@adulau @circl so, if a researcher notices a flaw in popular software but there is nowhere to report it to and/or the authors are unresponsive so the researcher just drops the info on Twitter, which party is being irresponsible?

hdm,

@amuse @adulau @circl the researcher owns the work; they probably don't have a contract with the vendor's customers, they can do what they like.

amuse,

@hdm @adulau @circl sorry HD, but I was leading the witness here 😉

This goes back to why I don't like to use the phrase "responsible disclosure" because the way it's used inevitably puts the responsibility on the wrong party.

sergedroz,

@amuse @adulau @circl Both. Obvious for the vendor. But the researcher can be a bit more creative than jut put the info out. In many places, national CSIRTs will help.

Security research is more than finding vulerabilities, the same as being a medicadoctor is more than diagnosing inlnesses and prescribing pills.

weddige,
@weddige@gruene.social avatar

@amuse until the coordination is going nowhere and you need to responsibility increase the pressure for the vulnerability to be fixed.

Coordinated disclosure is the way to go and "coordinated vulnerability disclosure" the right term. But sometimes you still have to deal with a guy with steam coming from his ears, that always prefers to shoot the messenger instead of admitting a mistake, that takes his developers 20 minutes to fix.

amuse,

@weddige According to the ISO, the Coordination involves the vuln finder and the vuln fixer agreeing on an amount of time which is reasonable before disclosing the vuln. If you're the discloser and the fixer simply isn't fixing things, then you go ahead and disclose.

weddige,
@weddige@gruene.social avatar

@amuse The point I wanted to make was that even coordinated disclosure can't get rid of the emotions, and that the finder often has to decide what's an appropriate amount of time. But that is of course no reason not to try.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • DreamBathrooms
  • everett
  • osvaldo12
  • magazineikmin
  • thenastyranch
  • rosin
  • normalnudes
  • Youngstown
  • Durango
  • slotface
  • ngwrru68w68
  • kavyap
  • mdbf
  • InstantRegret
  • JUstTest
  • ethstaker
  • GTA5RPClips
  • tacticalgear
  • Leos
  • anitta
  • modclub
  • khanakhh
  • cubers
  • cisconetworking
  • provamag3
  • megavids
  • tester
  • lostlight
  • All magazines
    •