responsible disclosure

ENISA Report - Economics of Vulnerability Disclosure

2018/12 : ENISA (European Union Agency for Cybersecurity) release its Economics of Vulnerability Disclosure Report.

"Vulnerability disclosure refers to the process of identifying, reporting and patching weaknesses of software, hardware or services that can be exploited....Read more

IETF

Responsible Vulnerability Disclosure Process - draft-christey-wysopal-vuln-disclosure-00.txt
'Responsible Disclosure' Draft Could Have Legal Muscle - Rasch on Christey and Wysopal draft
Schneier - Crypto-Gram March 15, 2002
The realities of Disclosure : Morgenstern and Parker on Christey and Wysopal failure
How do we define Responsible Disclosure? - Shepherd

2003/04/22 : Stephen A. Shepherd define what is responsible disclosure and make a summary of vulnerability disclosure history at this stage.Read more

Creation of ZDI

https://www.zerodayinitiative.com/about/

Anti-Sec Movement

Ant-Sec - We are going to terminate Hackforums.net and Milw0rm.com - New Apache 0-day exploit uncovered
AntiSecurity Presentation
AntiSec Policy
ImageShack hacked in oddball security protest (anti-sec movement)
Exploit Code on Trial (Poulsen paper)

2003/11/23 : "Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any...Read more

CERT/CC Overview

2000/10 : CERT/CC is committed to a responsible policy. All vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors.

This artefact is part of ...Read more

ACM: Digital Library: Computers and Society - Bollinger paper

2004/12 : Jeff Bollinger explains his point of view in the vulnerability disclosure debate.

"To effect the optimal result of 'greatest good', each player in the disclosure process must agree and co-ordinate to achieve the greatest return, and lowest damages." (p.14)

This artifact...Read more

Full Disclosure of Vulnerabilities – pros/cons and fake arguments (Vidstrom paper)

2002/04/08 : Arne Vidstrom points a list of the pros, cons and fake arguments on full disclosure of vulnerabilities.

This artifact is part of the Culp debate Bundle.Read more

It's time to be responsible (Morgenstern, Parker and Hardy paper)

2002/03/01 : Michael Morgenstern, Tom Parker and Scott Hardy write about vulnerability disclosure debate occuring since one year. They assume "it's time to be responsible".

"Over the last 12 months various computer-using groups have been intensely debating the...Read more

A Step Towards Information Anarchy: A Call To Arms - hellNbak

2001 : Hellnbak proposes to enter the war against Culp's idea to "end information anarchy". Regarding to him, security should not be a question of calm business but more about safe and well-informed public.

This artifact is part of the ...Read more

Do security holes demand full disclosure? - Pond answer to Ranum's Keynote

2000/07/26 : Ranum beggan a big debate with his keynote speech of the US Black Hat conference in Las Vegas, in 2000. Here is Weld Pond answer to it.

This artifact is part of the Bundle...Read more

Subscribe to responsible disclosure
Need help with PECE?
Join the PECE Slack channel