Re: In reply to comments about new policy
Pat Myrto (rwing!pat@ole.cdac.com)
Tue, 29 Nov 94 22:57:58 PST
"In the previous message, John DiMarco said..."
>
> [ ... ]
>
> Surely there is a third way: time-lapsed full disclosure. When a problem is
> discovered, don't announce it until there's a patch, then announce the problem
> and the patch together, without exploitation information.
BINGO!!!! That is what I (and many others) have been advocating all
along. A stepwise approach: Vendor first, then partial disclosure
(including note that full disclosure is coming in about a week or so -
depending on the individual problem at hand), and finally the full
disclosure, with at least an attempt at a fix included if humanly
possible.
If the hole was discovered via a crackers breakin, that shortens the time
frame a lot, as the cats pretty much out of the bag.
In no case should the delay be so long that the affected OS is dead and
stinking, though...
> After a suitable time (weeks?) has passed, the rest of the information can be
> announced. But don't post scripts to exploit the bug; it gives root to too
> many newbies.
I'll go along with that. But sufficient info for an admin to figure
things out enough to TEST for the bug. It will help the admins, but I
think a canned gimmie-root script all ready to run is a bit much.
But I will take the canned scripts in preference to the CERT-like approach.
[ ... ]
--
pat@rwing [If all fails, try: rwing!pat@eskimo.com] Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence." -- Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.