responsible disclosure

The realities of Disclosure : Morgenstern and Parker on Christey and Wysopal failure

2002/07/12 : Michael Morgenstern and Tom Parker point to the failure of Christey and Wysopal's willingness to put in place common measures for responsible disclosure.

"Unfortunately, Steve Christey and Chris Wysopol's RFC of February...Read more

Exploit Code on Trial (Poulsen paper)

2003/11/23 : "Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any...Read more

Silence the best security policy - Lemos on Ranum's keynote

2000/07/26 : Ranum beggan a big debate with his keynote speech of the US Black Hat conference in Las Vegas, in 2000. Robert Lemos is here commenting what happened.

This artifact is part of the Bundle ...Read more

FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure Version 1.1 2020

Spring 2020 : Here is the Version 1.1 of the FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure. 

This artifact is part of the FIRST Vulnerability Disclosure Bundle...Read more

NIAC VULNERABILITY DISCLOSURE FRAMEWORK

2004/01/13 : The National Infrastructure Advisory Concil published in January 2004 their Final report and recommendations on vulnerability disclosure.

"The NIAC reached consensus that the nation’s interests are advanced by a commitment by all stakeholders in...Read more

Threat Complexity Requires New Levels of Collaboration - Stone and Moussouris on the creation of MSVR

2008/08 : Microsoft create the Microsoft Vulnerability Research Program (MSVR).Read more

AntiSec Policy

Here is the Anti-sec policy described by one of the members of the movement.

This artifact is part of the Anti-Sec movement Bundle.Read more

THE PRICE OF RESTRICTING VULNERABILITY PUBLICATIONS (Granick Article)

2005 : "Part One of this paper explains the current state of computer (in)security and sets forth three ways to restrict publications followed by the most common arguments for and against. It then illustrates the popularity of security publication restrictions with an ...Read more

Schneier - Crypto-Gram March 15, 2002

2002/03/15 : Schneier published his monthly newsletter.
Schneier gives this time a summary of the vulnerabilitiy disclosure actual issues.

"The history of the vulnerability's discovery and publication is an interesting story, and illustrates the...Read more

Deconstructing the myths behind the full-disclosure debate (Shepherd paper)

2003/01/22 : Stephen A. Shepherd published in SANS a paper which had a big influence on vulnerability disclosure discussion. He defines responsible disclosure and recalls the key events on vulnerability disclosure debate. Read more

ENISA - Good Practice Guide on Vulnerability Disclosure

2016/01/18 : ENISA (European Union Agency for Cybersecurity) publishes its Good Practice Guide on Vulnerability Disclosure.Read more

Subscribe to responsible disclosure