November 12, 2001
Is it impolite to protect

Is it impolite to protect yourself and warn others about security vulnerabilities without first waiting 30 days to see if they can be patched? Or the other way around?

Or as AnchorDesk Editorial Director Patrick Houston put it: "MS to hackers: Shhh, can't we be a little more discreet?"

See the ZDNet article by Robert Lemos' : MS group to oversee hack reports.

The latest announcement has already sparked controversy: Russ Cooper, a software security expert and editor of security mailing list "NTBugTraq," published his own guidelines for an independent security group, called the Responsible Disclosure Forum. Cooper boycotted Microsoft's conference largely because he distrusts the software giant's motives.
For the most part, however, Cooper and Microsoft agree on the problems that fully disclosing software flaws can create.
"You either participate in the Responsible Disclosure Forum, or you're a black hat bent on being malicious. End of story," he wrote in the introduction to the guidelines. "Too much money, too many individuals and too much of the world's communication rely on responsible disclosure for it to be continued to be seen as a discussion worth debating."
The Microsoft-supported guidelines tentatively give software makers 30 days to patch their products after being informed of a flaw. They also require members to respond promptly to a report of a security hole and keep the original author advised of their progress.
"This is something we talked about 11 months ago (at a previous security conference) and we have some real traction now," Microsoft's Culp said.
Posted by Lisa at November 12, 2001 12:45 PM | TrackBack
Me A to Z (A Work In Progress)