tag:blogger.com,1999:blog-35005627.post2732411413924551608..comments2023-09-01T13:15:10.510+03:00Comments on hype-free: Disclosure policy = dead horse?Cd-MaNhttp://www.blogger.com/profile/05030326541176171725noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-35005627.post-30456493565482360022007-03-02T05:31:00.000+02:002007-03-02T05:31:00.000+02:00About the six months, sorry that was only an after...About the six months, sorry that was only an afterthought and I didn't check; my bad.<BR/><BR/>And the reason I was talking about the government was this line:<BR/><I>"If the industry manages to create a standard regarding this subject, it will enable to use legal methods to persecute those who don't follow these standards."</I><BR/><BR/>To me legal sounds like legislation.<BR/><BR/>And personally I think there is no need for an industry standard, because saying that if you do X we won't prosecute you is tantamount to implying that anything less is illegal, which it is not.<BR/><BR/>On a completely unrelated note; I'm curious if you have any figurea about how many companies/researchers give/receive legal threats?kuza55https://www.blogger.com/profile/03932544559060480887noreply@blogger.comtag:blogger.com,1999:blog-35005627.post-40075536616024533752007-03-01T11:05:00.000+02:002007-03-01T11:05:00.000+02:00I completely agree with you that six months is waa...I completely agree with you that six months is waaaaaaay too long. That's why I said that it would be a screwup for the industry if they decided to go with six months. An acceptable timeframe in my humble opinion would me 30 days.<BR/><BR/>As for the researchers not creating the bugs: this is entirely 100% correct. The thing that they do (if they go on the full disclosure route without previous notification of the vendor) is to give tools to a large, mostly unethical crows without giving the tools to those affected by the bugs to protect themselves.<BR/><BR/>And finally: I didn't advocate for the goverment to step in. I advocate for an industry standard where some big companies like MS (because we know that Oracle never will) stand up and say that "we won't persecute anyone who gave us X days in advance warning". And then, in case you find yourself in legal trouble you can point to these "standards" and say that this is an industry standard which you follow, at which point you hopefully will be off the hook (while currently it is all a little blurry in this area and many people back off when they get legal threats because they have no clue of what their chanches are of winning or loosing in court).<BR/><BR/>And it would also be good for the vendor, since they could plan ahead and set some goals for their security response team (something like in 3 days we must be able if this is exploitable or not, in 5 days come up with a mitigation solution and inform the affected clients, in 15 days come up with a pach, in 20 days it must be tested by QA and so on).Cd-MaNhttps://www.blogger.com/profile/05030326541176171725noreply@blogger.comtag:blogger.com,1999:blog-35005627.post-25472975533733011062007-03-01T09:55:00.000+02:002007-03-01T09:55:00.000+02:00Furthermore I think 6 months is a completely unacc...Furthermore I think 6 months is a <B>completely</B> unacceptable time-frame for patches. Any standard patch should not take more than a month to develop, fully test and release, preferably faster - anything less is negligence on the part of the vendor.<BR/><BR/>Of course, this isn't the case if it requires a complete architectural change of the software; but that is negligence on the part of the company anyway.<BR/><BR/>Because lets not forget - security researchers aren't the only ones looking for bugs. And 6 months is an enormous time-frame to find a vulnerability.<BR/><BR/>And I really do not understand why you would even consider holding a researcher responsible for bugs that the <I>vendor</I> created.kuza55https://www.blogger.com/profile/03932544559060480887noreply@blogger.comtag:blogger.com,1999:blog-35005627.post-31437966133553626872007-03-01T09:29:00.000+02:002007-03-01T09:29:00.000+02:00Lets for the moment forget that ethics don't parti...Lets for the moment forget that ethics don't particularly concern me in my work.<BR/><BR/>I really don't think legislating disclosure policy is a good idea.<BR/><BR/>First of all; its legislating censorship of information. Sure its (theoretically) for a limited amount of time, but once we start there's no way the government would relinquish control. (Sure the US government loosened crypto laws, but only after it was pointless because everyone else could clearly do what people in the US could, and was therefore potentially hurting industry)<BR/><BR/>Exploits don't attack computers - people attack computers.<BR/><BR/>Secondly; there is no benefit to the industry, because there should not be any legal avenues for prosecuting researchers.<BR/><BR/>When crypto researchers find issues in government or other algorithms they aren't force to disclose their findings to anyone before publishing - its academic work. (I could be completely wrong, but nothing I've seen anywhere contradicts this)<BR/><BR/>I think that security should be granted the same status of not having to comply with disclosure rules.<BR/><BR/>Furthermore any such legislation could simply drive the research offshore because other countries will most likely not implement any such laws.kuza55https://www.blogger.com/profile/03932544559060480887noreply@blogger.com