vulnerability disclosure debate

Schneier - Crypto-gram January 15, 2000

2000/01/15 - Schneier Crypto-Gram newsletter :
nCypher publically disclosed SSL private key vulnerabilities to sell their solution to fix the flaw. Schneier writes here his opinion against this practice. 

This article is part of the...Read more

Keeping Security Issues in the Open - Davies reaction on Culp essay

2001/10/26 : Davies gives his point of view on Clup essay : "He proposes a culture of secrecy, where the security professional should share his knowledge only with the software retailer or development group. This, he says, will "raise the bar" for those seeking to write destructive worms...Read more

AntiSec Policy

Here is the Anti-sec policy described by one of the members of the movement.

This artifact is part of the Anti-Sec movement Bundle.Read more

The realities of Disclosure : Morgenstern and Parker on Christey and Wysopal failure

2002/07/12 : Michael Morgenstern and Tom Parker point to the failure of Christey and Wysopal's willingness to put in place common measures for responsible disclosure.

"Unfortunately, Steve Christey and Chris Wysopol's RFC of February...Read more

Full Disclosure: How Much Security Info Is Too Much? (Lyman article)

2001/10/02 : Jay Lyman writes into the NewsFactor Network about full disclosure debate. 

Read more

Ranum Keynote Slides (Black Hat Conference 2000)

2000/07/26 : Here are the slides of Ranum keynote at the US Black Hat conference.

Between 1999 and the mid 2000s, Ranum developed his critique of full disclosure, and he presented it as the keynote speech of the US...Read more

It's time to be responsible (Morgenstern, Parker and Hardy paper)

2002/03/01 : Michael Morgenstern, Tom Parker and Scott Hardy write about vulnerability disclosure debate occuring since one year. They assume "it's time to be responsible".

"Over the last 12 months various computer-using groups have been intensely debating the...Read more

Responsible Vulnerability Disclosure Process - draft-christey-wysopal-vuln-disclosure-00.txt

2002/02 : IETF Draft by Steve Christey from MITRE and Chris Wysopal :

"During the process of disclosure, many vendors, security researchers, and other parties follow a variety of unwritten or informal guidelines for how they interact and share information. Some parties may be unaware of...Read more

AntiSecurity Presentation

Here is the presentation of the AntiSecurity movement. 

This artifact is part of the Anti-Sec movement Bundle.Read more

"MS throttles research to conceal SW bugs" (Greene paper)

2001/11/09 : Thomas C. Greene expresses once again his opinion against Microsoft's way of handling vulnerability disclosure.

"Microsoft Security Manager Scott Culp revealed unilateral steps the company has taken to throttle the exchange of vulnerability ...Read more

Security in an Open Electronic Society - Levy reaction on Culp essay

2001/10/21 : Levy gives his point of view on Culp essay : "It appears Culp is more comfortable with an 'information dictatorship' or 'information oligarchy' model, and has entirely missed the fact that the movie house ...Read more

Full Disclosure of Vulnerabilities – pros/cons and fake arguments (Vidstrom paper)

2002/04/08 : Arne Vidstrom points a list of the pros, cons and fake arguments on full disclosure of vulnerabilities.

This artifact is part of the Culp debate Bundle.Read more

Subscribe to vulnerability disclosure debate
Need help with PECE?
Join the PECE Slack channel