Sunday, June 15, 2003

Proper vulnerability reporting?

SlashDot has a pointer to a public draft of a bug disclosure standard.

Right off the top, I don't like it as it seems to leave all the chips on the vendor's side of the table. It also makes the "finder" traceable, which is not necessarily a "good thing" (tm) if the DCMA goes sour on vulnerability researchers.

Example: Say you find a really nasty bug and report it. Sometime during the 30-day waiting periond, someone else discovers the bug and writes a virus exploiting that bug which takes down the Internet (ala Slammer). Mebbe I'm being paranoid but don't you think that yours would be one of the first doors knocked on?

Besides, I've reported the same DoS bug to MS twice and it's still not fixed a year and a half later.

I guess you can put me on the "troublemaking-full-disclosure (shoot-these-people-first-when-we-take-over)" list of malcontents.