responsible disclosure

Efail: What A Disclosure FAIL That Was! (RBS article)

2018/05/16: Article criticizing the handling of the EFAIL vulnerabilities disclosureRead more

Ranum Keynote debate

Ranum Keynote speech at the US Black Hat conference
Ranum Keynote Slides (Black Hat Conference 2000)
Silence the best security policy - Lemos on Ranum's keynote
Do security holes demand full disclosure? - Pond answer to Ranum's Keynote
Black Hat 2000 - Ranum and Granick VS Rausch and Amhed
Script Kiddiez Suck: V2.0 (Ranum on his keynote)

L0pht

Hackers keep the heat on Windows NT security (L0pht)
L0pht testimony before the Congress (United States Senate Committee on Governmental Affairs)
L0pht Advisory: release of L0phtCrack for NT (Bugtraq archive)
Whacked Mac collection CD (L0pht)
Into the Breach - Ferdin
L0pht - Wikipedia
‘We Got to Be Cool About This‘: An Oral History of the L0pht (Part One - Fisher paper)
‘Microsoft Was Freaking Out‘: An Oral History of the LØpht -Part Two - Fisher Paper)
Thirty Minutes Or Less: An Oral History of the LØpht, Part Three
'Nothing's Going to Last Forever': An Oral History of the LØpht (Part Four- Fisher paper)

RFP Policy

Hug a hacker, before they go underground (Sydney Morning Herald newspaper)
Three Minutes with Rain Forest Puppy (RFP interview by Zetter)
Interview with Rain Forest Puppy (by Parata)
A Call for Better Coordinated Vulnerability Disclosure (Microsoft and Google Project Zero)

2015/01/11 : Microsoft made a call for better coordinated vulnerability disclosure after that "Google has released information about a vulnerability in a Microsoft product, two days before [their] planned fix on [their] well known and coordinated Patch Tuesday cadence, despite [their]...Read more

Three Minutes with Rain Forest Puppy (RFP interview by Zetter)

2001/09/28 : Here is a Rain Forest Puppy interview done by Kim Zetter about the RFPolicy.

In June 2000, the hacker Rain Forest Puppy published his RFPolicy. The policy is known as the first attempt to formalize the complex issue of disclosure to the vendor or maintainer....Read more

Software Vulnerabilities: Full-, Responsible-, and Non-Disclosure - (Cencini, Yu and Chan publication)

2005/12/07 : Andrew Cencini, Kevin Yu, Tony Chan write upon the different choices of vulnerability disclosures.

"When a software vulnerability is discovered by a third party, the complex question of who, what...Read more

FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure Version 1.1 2020

Spring 2020 : Here is the Version 1.1 of the FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure. 

This artifact is part of the FIRST Vulnerability Disclosure Bundle...Read more

CERT/CC Overview

2000/10 : CERT/CC is committed to a responsible policy. All vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors.

This artefact is part of ...Read more

A Step Towards Information Anarchy: A Call To Arms - hellNbak

2001 : Hellnbak proposes to enter the war against Culp's idea to "end information anarchy". Regarding to him, security should not be a question of calm business but more about safe and well-informed public.

This artifact is part of the ...Read more

ACM: Digital Library: Computers and Society - Bollinger paper

2004/12 : Jeff Bollinger explains his point of view in the vulnerability disclosure debate.

"To effect the optimal result of 'greatest good', each player in the disclosure process must agree and co-ordinate to achieve the greatest return, and lowest damages." (p.14)

This artifact...Read more

How do we define Responsible Disclosure? - Shepherd

2003/04/22 : Stephen A. Shepherd define what is responsible disclosure and make a summary of vulnerability disclosure history at this stage.Read more

Subscribe to responsible disclosure
Need help with PECE?
Join the PECE Slack channel