- Credits: Designed by Liam Cooke and powered by Tumblr.
-
Following:
![[ragetoons]](http://27.media.tumblr.com/avatar_2df469cf93fe_30.png "FFFFFFFFFFFFUUUUUUUUU (ragetoons)")
![[innismir]](http://30.media.tumblr.com/avatar_d8108a6bde0f_30.png "Pointless and Vapid Bits (innismir)")
![[swytch]](http://24.media.tumblr.com/avatar_181a7b783d72_30.png "Swytch :: (swytch)")
![[thechangelog]](http://27.media.tumblr.com/avatar_1fafc82c6456_30.png "The Changelog - Open Source moves fast. Keep up. (thechangelog)")
![[demosthenes]](http://29.media.tumblr.com/avatar_924178f4ed67_30.png "the anti-shazzzam (demosthenes)")
![[fuckyeah4chan]](http://24.media.tumblr.com/avatar_af2a43cd6cc7_30.png "Fuck Yeah 4Chan (fuckyeah4chan)")
![[hybernaut]](http://30.media.tumblr.com/avatar_dbcd50f54693_30.gif "the institute of hybernautics (hybernaut)")
![[hexesec]](http://25.media.tumblr.com/avatar_ed2f6ea86b03_30.png "0x0e.org | brainzdump (hexesec)")
![[keffj]](http://30.media.tumblr.com/avatar_eac93f73588d_30.png "Untitled (keffj)")
![[jayjbeale]](http://assets.tumblr.com/images/default_avatar_30.gif "Untitled (jayjbeale)")
I’m giving a talk at Boston NAISG on September 17, 2009. Here’s the synopsis:
_Disclosure Samsara, or “the endless responsible vulnerability disclosure debate”_
Vulnerability disclosure has a purpose. It can help make software and hardware vendors and service providers accountable for shortcomings in their offerings; and detailed or full disclosure can give IT and information security professionals the information they need to validate the resilience and efficacy of their controls. Generally speaking, a happy balance is achieved when vulnerabilities are disclosed in a responsible manner. But what is “responsible”?
It’s been nearly a decade since the introduction of RFPolicy, a document often considered to be the basis for modern, responsible vulnerability disclosure, yet there still remains a significant division between the camps of “full disclosure”, “partial disclosure”, and “zero disclosure”. The “responsible disclosure” debate seems to be an endless cycle, coming back fully reconstituted *just* when we think it’s been run dry. Lawsuits, gag orders, and boatloads of drama are some of the negative things researchers have dealt with when disclosing a bug or flaw to a vendor or service provider. This type of reaction can be very discouraging for a security researcher, possibly resulting in them eschewing communication with the vendor in favor of disclosing it outright or even selling the details to the highest bidder.
With continued, accelerated awareness and discussion, the information security community can work toward solidifying an approach to responsible disclosure that, amongst other things:
* facilitates interaction between the researcher and vendor or service provider
* acknowledges the researcher’s work
* provides adequate protection for the security researcher
* builds a reasonable timeline and plan for a solution to the bug or flaw (and keeps parties from stalling)
* builds a reasonable timeline for public disclosure of the bug or flaw
Here’s to hoping I don’t totally suck.
