responsible disclosure

Interview with Rain Forest Puppy (by Parata)

2007/05/08 : Here is a Rain Forest Puppy interview done by Antonio Parata.

In June 2000, the hacker Rain Forest Puppy published his RFPolicy. The policy is known as the first attempt to formalize the complex issue of disclosure to the vendor or maintainer.

This...Read more

The realities of Disclosure : Morgenstern and Parker on Christey and Wysopal failure

2002/07/12 : Michael Morgenstern and Tom Parker point to the failure of Christey and Wysopal's willingness to put in place common measures for responsible disclosure.

"Unfortunately, Steve Christey and Chris Wysopol's RFC of February...Read more

Toward the development of industry standards for security vulnerability handling - OIS objectives

Here is a presentation on objectives, the way of reporting and addressing vulnerabilities, security tools, and proposed organizational framework by OIS.

This artifact is part of the OIS Bundle.Read more

What “Efail” Tells Us About Email Vulnerabilities and Disclosure (Lawfare article)

2018/05/24: Article on EFAIL vulnerability, email vulnerabilities and the patching of those vulnerabilities. It questions the safety of emails in generalRead more

A Call for Better Coordinated Vulnerability Disclosure (Microsoft and Google Project Zero)

2015/01/11 : Microsoft made a call for better coordinated vulnerability disclosure after that "Google has released information about a vulnerability in a Microsoft product, two days before [their] planned fix on [their] well known and coordinated Patch Tuesday cadence, despite [their]...Read more

US Vulnerabilities Equities Process (Fact Sheet)

2017/11/15 : "[T]he White House released a charter for the administration’s once-shadowy Vulnerabilities Equities Process (VEP)." (see : https://www.lawfareblog.com/...Read more

'Responsible Disclosure' Draft Could Have Legal Muscle - Rasch on Christey and Wysopal draft

2002/03/11 : Rasch analyses Christey and Wysopal IETF Draft.

"The report articulates what many in the security industry have considered to be a reasonable method of reporting security vulnerabilities." (p.1) 

This artifact is part of the...Read more

FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure

2017 : FIRST release their Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure.
"The purpose of this document is to assist in improving multi-party vulnerability coordination across different stakeholder communities."

This artifact is...Read more

AntiSecurity Presentation

Here is the presentation of the AntiSecurity movement. 

This artifact is part of the Anti-Sec movement Bundle.Read more

Deconstructing the myths behind the full-disclosure debate (Shepherd paper)

2003/01/22 : Stephen A. Shepherd published in SANS a paper which had a big influence on vulnerability disclosure discussion. He defines responsible disclosure and recalls the key events on vulnerability disclosure debate. Read more

Subscribe to responsible disclosure