Security Policy

[George Staikos]

On Monday 10 March 2003 16:19, Waldo Bastian wrote:
> I broadly agree with that but with two nuances:
> * I think it is important to alert users to a threat and to provide them
> with information on how to eliminate that threat, but I don't think that
> publishing detailed exploit information is in the interest of the user. * I
> think it's justified to delay the publishing of information when there is
> actively being worked on either a) a better impact analysis or b) a fix for
> the problem. Once you disclose the threat there will be increased attention
> for that vulnerability so it's very important to provide correct
> information and credible solutions to eliminate that threat at the time of
> disclosure. I also think that it is counter-productive to have multiple
> publications in short succession on a single issue since I think that that
> blurs the attention of the users that you try to reach. I think perhaps the
> most critical element of a security update is the user having actually
> applying the update. For that, effective and efficient communication with
> the user is vital IMO. So I think that the goal should be to get it right
> and complete the first time.

  An additional note:  In the past (up until, I guess, the mid-late 1990's), 
it was often the case that exploits were just posted to bugtraq and the fixes 
would come later.  The new accepted policy for handling security holes is to 
contact the developers in private, organise a patch and press release date 
with the affected parties, and release as quickly as possible, 
simultaneously.  security@ addresses are generally used as contact points, 
and considered to be private.

-- 

George Staikos