If a tree falls in the woods…

If a researcher discloses a vulnerability only to VDBs, and some/all of them publish the information, was the vulnerability really disclosed? Yes, of course, but should it have been? Are VDBs responsible for the information? Does it fall on us to check every thing we get and verify the vendor received it first? Snap answer is ‘yes’, but if so, is the answer the same with information published on a mail list? Snap answer is ‘no’.

This creates a situation where VDBs are held to certain standards for responsible disclosure, and are virtually forced to play middle man between the vendor and researcher. VDBs are forced to take on a role they may not have intended to, or take a hit in their reputation for being responsible with information that may put others at risk.

Late night babbling, or is that a shitty deal for VDBs?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: