responsible disclosure

WEIS Workshop (Berkeley university)

2002/05/16-17 : Workshop on Economics and Information Security (WEIS) took place at the Berkeley university. Researchers met to work on the question of "Do we spend enough [or too much] on keeping `hackers' out of our computer systems?". They speak of possible coordinated disclosure...Read more

Black Hat 2000 - Ranum and Granick VS Rausch and Amhed

April 2000, at the Black Hat Conference (Singapour) took place a debate with Ranum and Granick against Rausch and Amhed.Read more
Guidelines and Practices for Multi-Party Vulnerability Coordination Open to Review (on FIRST Guidelines)

2017/01/20 : Omar Santos writes about the new FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure.

This artifact is part of the FIRST Vulnerability Disclosure Bundle...Read more

Responsible Vulnerability Disclosure Process - draft-christey-wysopal-vuln-disclosure-00.txt

2002/02 : IETF Draft by Steve Christey from MITRE and Chris Wysopal :

"During the process of disclosure, many vendors, security researchers, and other parties follow a variety of unwritten or informal guidelines for how they interact and share information. Some parties may be unaware of...Read more

ACM: Digital Library: Computers and Society - Bollinger paper

2004/12 : Jeff Bollinger explains his point of view in the vulnerability disclosure debate.

"To effect the optimal result of 'greatest good', each player in the disclosure process must agree and co-ordinate to achieve the greatest return, and lowest damages." (p.14)

This artifact...Read more

US Vulnerabilities Equities Process (Fact Sheet)

2017/11/15 : "[T]he White House released a charter for the administration’s once-shadowy Vulnerabilities Equities Process (VEP)." (see : https://www.lawfareblog.com/...Read more

Three Minutes with Rain Forest Puppy (RFP interview by Zetter)

2001/09/28 : Here is a Rain Forest Puppy interview done by Kim Zetter about the RFPolicy.

In June 2000, the hacker Rain Forest Puppy published his RFPolicy. The policy is known as the first attempt to formalize the complex issue of disclosure to the vendor or maintainer....Read more

Nomad Mobile Research Centre (NMRC) - Announcement

1999 : NMRC [Nomad Mobile Research Center] published a bug disclosure policy stating they would first verify the vulnerabilities they found, before notifying the vendor. The public will be informed one month after the vendor in case of a 'very high priority...Read more

Schneier - Crypto-Gram March 15, 2002

2002/03/15 : Schneier published his monthly newsletter.
Schneier gives this time a summary of the vulnerabilitiy disclosure actual issues.

"The history of the vulnerability's discovery and publication is an interesting story, and illustrates the...Read more

The realities of Disclosure : Morgenstern and Parker on Christey and Wysopal failure

2002/07/12 : Michael Morgenstern and Tom Parker point to the failure of Christey and Wysopal's willingness to put in place common measures for responsible disclosure.

"Unfortunately, Steve Christey and Chris Wysopol's RFC of February...Read more

What “Efail” Tells Us About Email Vulnerabilities and Disclosure (Lawfare article)

2018/05/24: Article on EFAIL vulnerability, email vulnerabilities and the patching of those vulnerabilities. It questions the safety of emails in generalRead more

Subscribe to responsible disclosure