Posted by jericho
Thu, 04 Aug 2005 09:50:04 GMT
If a researcher discloses a vulnerability only to VDBs, and some/all of them publish the information, was the vulnerability really disclosed? Yes, of course, but should it have been? Are VDBs responsible for the information? Does it fall on us to check every thing we get and verify the vendor received it first? Snap answer is ‘yes’, but if so, is the answer the same with information published on a mail list? Snap answer is ‘no’.
This creates a situation where VDBs are held to certain standards for responsible disclosure, and are virtually forced to play middle man between the vendor and researcher. VDBs are forced to take on a role they may not have intended to, or take a hit in their reputation for being responsible with information that may put others at risk.
Late night babbling, or is that a shitty deal for VDBs?
Posted in General Vulnerability Info | 3 comments
Posted by jericho
Tue, 02 Aug 2005 07:46:58 GMT
There are far too many articles covering this topic to justify me rewriting the story in my own words. So in summary, relevant links with background. End up with Schneier’s commentary for a good summary and additional links.
BlackHat Briefings: Cisco IOS Security Architecture by Michael Lynn
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-schedule.html
Security researcher quits job and blows whistle on Cisco’s fatal flaws
http://www.boingboing.net/2005/07/27/securityresearcher.html
Cisco, ISS file suit against rogue researcher
http://www.securityfocus.com/news/11259
Cisco Security Hole a Whopper
http://www.wired.com/news/privacy/0,1848,68328,00.html
Cisco Security Advisory: IPv6 Crafted Packet Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml
Cisco, ISS, Michael Lynn and Black Hat sign legal accord
http://www.networkworld.com/news/2005/072805-cisco-settlement.html
Cisco settles dispute with flaw researcher
http://news.com.com/2061-10789_3-5809295.html?part=rss&tag=5809295&subj=news
Text of the Cisco-ISS-Lynn-Black Hat Agreement
http://blogs.washingtonpost.com/securityfix/2005/07/textof_thecis.html
Rick Forno hosts Lynn PDF, gets C&D from ISS
http://www.infowarrior.org/users/rforno/lynn-cisco.pdf
Cisco Harasses Security Researcher
http://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
Posted in Vulnerability Disclosure | no comments
