vulnerability disclosure debate

The realities of Disclosure : Morgenstern and Parker on Christey and Wysopal failure

2002/07/12 : Michael Morgenstern and Tom Parker point to the failure of Christey and Wysopal's willingness to put in place common measures for responsible disclosure.

"Unfortunately, Steve Christey and Chris Wysopol's RFC of February...Read more

Full Disclosure of Vulnerabilities – pros/cons and fake arguments (Vidstrom paper)

2002/04/08 : Arne Vidstrom points a list of the pros, cons and fake arguments on full disclosure of vulnerabilities.

This artifact is part of the Culp debate Bundle.Read more

Schneier publications

Schneier - Crypto-Gram August 15, 1999
Schneier - Crypto-gram January 15, 2000
Schneier - Crypto-Gram February 15, 2000
Schneier - Cypto-Gram July 15, 2000
Schneier Keynote Speech at the US Black Hat Conference
Schneier - Crypto-Gram September 15, 2000
Three Minutes With Security Expert Bruce Schneier (PCWorld paper)
Schneier - Crypto-Gram November 15, 2001
Schneier - Crypto-Gram March 15, 2002
Schneier - Crypto-Gram February 15, 2003
Bug Bounty Programs Are Being Used to Buy Silence - Schneier Post
Ranum Keynote Slides (Black Hat Conference 2000)

2000/07/26 : Here are the slides of Ranum keynote at the US Black Hat conference.

Between 1999 and the mid 2000s, Ranum developed his critique of full disclosure, and he presented it as the keynote speech of the US...Read more

Do security holes demand full disclosure? - Pond answer to Ranum's Keynote

2000/07/26 : Ranum beggan a big debate with his keynote speech of the US Black Hat conference in Las Vegas, in 2000. Here is Weld Pond answer to it.

This artifact is part of the Bundle...Read more

Schneier - Crypto-Gram November 15, 2001

2001/11/15 : Schneier published his monthly newsletter.
He talks about Cert/CC creation and reacts here on Culp essay

"[Culp] claimed that we'd all be a lot safer if researchers would keep details about vulnerabilities to themselves, and stop arming...Read more

Full Disclosure is a necessary evil - Elias Levy

2001/08/15 : Elias Levy continues the full disclosure debate.Read more

Software Vulnerabilities: Full-, Responsible-, and Non-Disclosure - (Cencini, Yu and Chan publication)

2005/12/07 : Andrew Cencini, Kevin Yu, Tony Chan write upon the different choices of vulnerability disclosures.

"When a software vulnerability is discovered by a third party, the complex question of who, what...Read more

Schneier - Crypto-Gram September 15, 2000

2000/09/15 :  Schneier published his monthly newsletter and explains here his opinion on full disclosure debate.

"What’s interesting is that everybody wants the same thing; they’re just disagreeing about the best way to get there.
When a security vulnerability exists in a...Read more

NEOHAPSIS - LeBlanc reaction on Culp essay

2001/11/02 : David LeBlanc, founding member of the Trustworthy Computing Initiative at Microsoft, defend Culp. 

"So a vendor who won't fix bugs unless their customers are threatened with active attack is a very different problem than one who fixes problems...Read more

Information Anarchy: The Blame Game? - Edwards reaction on Culp essay

2001/10/23 : Edwards analyses Culp essay on information anarchy.

"It seems that Microsoft is doing that now indirectly with its new Strategic Technology Protection Program (STPP). The effects should...Read more

Culp - It's time to end information anarchy

2001/10 : Scott Culp, who founded MSRC (Microsoft Security Response Center), wrote an influential paper, after a series of attacks (virus and worms) from Feb to September 2001. At this time, the irritation against hackers and full disclosures was already calm since months.

Culp...Read more

Subscribe to vulnerability disclosure debate
Need help with PECE?
Join the PECE Slack channel