vulnerability disclosure debate

;LOGIN: SPECIAL ISSUE ON SECURITY

1999/11 : Marcus Ranum and Jeremy Rausch wrote both on this special issue on Security. Did Jeremy Rausch wrote to respond  to Ranum’s article? The two article side-by-bside seems an editorial choice, was it an order of the journal ?

Between 1999...Read more

ImageShack hacked in oddball security protest (anti-sec movement)

2009/07/13 : John Leyden explains how "Anti-Sec" broke into the big image hosting websites ImageShack.

This artifact is part of the Anti-Sec movement Bundle...Read more

Security woes: Who is to blame? - Culp interview

2001/11/08 : Robert Lemos interviewed Scott Culp for CNET News.

"The essay is not calling for people to refrain from looking for security vulnerabilities, to stop reporting them to the vendors, to stop telling customers about them. We don't want to change any of that. The only thing that...Read more

Deconstructing the myths behind the full-disclosure debate (Heiser 2001)

2001/01 : Heiser gives his critique on full disclosure. 

"The concept of full disclosure is, indeed, ambiguous, serving as a
politically correct shield behind which all manner of self-serving behavior
can be justified." (p. 2)Read more

Black Hat 2000 - Ranum and Granick VS Rausch and Amhed

April 2000, at the Black Hat Conference (Singapour) took place a debate with Ranum and Granick against Rausch and Amhed.Read more
Responsible Vulnerability Disclosure Process - draft-christey-wysopal-vuln-disclosure-00.txt

2002/02 : IETF Draft by Steve Christey from MITRE and Chris Wysopal :

"During the process of disclosure, many vendors, security researchers, and other parties follow a variety of unwritten or informal guidelines for how they interact and share information. Some parties may be unaware of...Read more

Schneier - Crypto-Gram November 15, 2001

2001/11/15 : Schneier published his monthly newsletter.
He talks about Cert/CC creation and reacts here on Culp essay

"[Culp] claimed that we'd all be a lot safer if researchers would keep details about vulnerabilities to themselves, and stop arming...Read more

Anti-hacking method of full disclosure under attack from a part of the security industry - McClure and Scambray

2000 : The authors explain their view pro full disclosure and its aim of educating people. They add their opinion on the bad sides of full disclosure.
"The only rational solution is to make the script kiddies responsible for their actions, as we do with all criminals...Read more

Peace of Mind Through Integrity and Insight - Manzuik reaction on Culp essay

2001/10/17 : "Code Red, Nimda and a few of the more recent worms were made possible not by the research that discovered the vulnerability they exploited but by the lack of awareness and training by system administrators who did not patch their systems." (p.1-2)

This artifact is part of...Read more

It's time to be responsible (Morgenstern, Parker and Hardy paper)

2002/03/01 : Michael Morgenstern, Tom Parker and Scott Hardy write about vulnerability disclosure debate occuring since one year. They assume "it's time to be responsible".

"Over the last 12 months various computer-using groups have been intensely debating the...Read more

Full Disclosure is a necessary evil - Elias Levy

2001/08/15 : Elias Levy continues the full disclosure debate.Read more

Exploit Code on Trial (Poulsen paper)

2003/11/23 : "Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any...Read more

Subscribe to vulnerability disclosure debate
Need help with PECE?
Join the PECE Slack channel