Full disclosure in computer security still exists and is complementary to other disclosure models.
-
Full disclosure in computer security still exists and is complementary to other disclosure models. The evolution of vulnerability disclosure is not linear from full disclosure to responsible disclosure to coordinated disclosure. These models coexist and all need to be taken into account.
You can’t just say “the legal framework will solve it” or “just do coordinated disclosure.” Vendors, researchers, and users are not all rational actors playing the same game.
Vulnerability disclosure is more complex than that, and if you actually want to address the issue, you can’t just say “it doesn’t exist.”
#cve #gcve #vulnerabilitymanagement #cybersecurity #fulldisclosure #vulnerability
-
Full disclosure in computer security still exists and is complementary to other disclosure models. The evolution of vulnerability disclosure is not linear from full disclosure to responsible disclosure to coordinated disclosure. These models coexist and all need to be taken into account.
You can’t just say “the legal framework will solve it” or “just do coordinated disclosure.” Vendors, researchers, and users are not all rational actors playing the same game.
Vulnerability disclosure is more complex than that, and if you actually want to address the issue, you can’t just say “it doesn’t exist.”
#cve #gcve #vulnerabilitymanagement #cybersecurity #fulldisclosure #vulnerability
@adulau fully agree. This is part of a larger governance discussion we avoid: How do we deal with different type of actors, which we can't contractually bind. I think it's also something we have to solve with regards to open source. You can't just take the old paradigms and say there is nothing else. It's something we constantly run into at the Geneva dialogue. What is clear, is that there needs to be more people at the table.
-
@adulau fully agree. This is part of a larger governance discussion we avoid: How do we deal with different type of actors, which we can't contractually bind. I think it's also something we have to solve with regards to open source. You can't just take the old paradigms and say there is nothing else. It's something we constantly run into at the Geneva dialogue. What is clear, is that there needs to be more people at the table.
@sergedroz @adulau
Therein lies the chasm between operators and government. Operators, of necessity, deal with everyone, until they don't, and they depeer. Governments try not to deal with anyone else, until they have to, by which point it's generally too late to be useful. -
Full disclosure in computer security still exists and is complementary to other disclosure models. The evolution of vulnerability disclosure is not linear from full disclosure to responsible disclosure to coordinated disclosure. These models coexist and all need to be taken into account.
You can’t just say “the legal framework will solve it” or “just do coordinated disclosure.” Vendors, researchers, and users are not all rational actors playing the same game.
Vulnerability disclosure is more complex than that, and if you actually want to address the issue, you can’t just say “it doesn’t exist.”
#cve #gcve #vulnerabilitymanagement #cybersecurity #fulldisclosure #vulnerability
@adulau context?
-
Full disclosure in computer security still exists and is complementary to other disclosure models. The evolution of vulnerability disclosure is not linear from full disclosure to responsible disclosure to coordinated disclosure. These models coexist and all need to be taken into account.
You can’t just say “the legal framework will solve it” or “just do coordinated disclosure.” Vendors, researchers, and users are not all rational actors playing the same game.
Vulnerability disclosure is more complex than that, and if you actually want to address the issue, you can’t just say “it doesn’t exist.”
#cve #gcve #vulnerabilitymanagement #cybersecurity #fulldisclosure #vulnerability
@adulau it is healthy in a system where the actors having all the lawyers keeps in the back of their mind that there might be someone, somewhere, who will simply publish that vulnerability they tried to bury under legalese.
-
@adulau context?
@aristot73 It was when writing this blog post
Acknowledging Reality in Vulnerability Disclosure
Full Disclosure Still Exists and That’s Exactly the Point
Alexandre Dulaunoy - adulau - Home Page (www.foo.be)
I was able to shim in the famous balkanisation term.
-
@adulau it is healthy in a system where the actors having all the lawyers keeps in the back of their mind that there might be someone, somewhere, who will simply publish that vulnerability they tried to bury under legalese.
-
-
R relay@relay.infosec.exchange shared this topic
️