Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Announcements Security Your Rights Online

Vulnerability Disclosure Conference at Stanford 6

Jennifer Granick writes "Stanford Law School Center for Internet and Society, headed by Lawrence Lessig and Jennifer Granick, is hosting a day long conference on vulnerability disclosure on November 22, 2003. The point is to get all sorts of people interested in vulnerability disclosure in the same room to discuss the issues and to come up with a clear definition of the problems and the costs and benefits of various solutions. This conference is really a workshop, and security researchers, vendor security teams, and system administrators should all consider attending and participating. For more information: http://cyberlaw.stanford.edu/security/"
This discussion has been archived. No new comments can be posted.

Vulnerability Disclosure Conference at Stanford

Comments Filter:
  • Hmm (Score:1, Insightful)

    by Anonymous Coward
    The point is to get all sorts of people interested in vulnerability disclosure in the same room... ... shut the door, call FBI and arrest everyone present under some UCITA/Patriot/DMCA provision that allows the Feds to detain people for the intention of disclosing a vulnerability, not actually disclosing it.
  • this issue (full disclosure vs. cooperative disclosure vs. total secrecy) is one of those gun-control-type topics in software security. there's always gonna be people in each camp with opinions that just will not change no matter the argument or rationale presented.

    getting them together in this type of setting may convert a few people from one camp to another, make some knowledgable of the arguments at hand, but I doubt it'll do anything useful in the long term to solve the issue because of those who will
  • by mrsev ( 664367 )
    I dont think there is one correct answer. If it is for a browser vunrebility then fine total disclosure . If however you find a vunrebility in the net at your firebrigade call center then maybe not. It all depends on if the software is for public consumption. At the end of the day we need quick patches but not so quick that they are poorly designed.
  • by ubiquitin ( 28396 ) * on Thursday October 23, 2003 @09:48PM (#7297164) Homepage Journal
    Here's a plausible scenario: Mr. RemainNameless stumbles across a major sql injection vulnerability while browsing a WidgetCompany's site. He realizes that WidgetCompany now has his originating IP# and ISP information in their web server log files and could track him down to accuse him of an attack on their server. What to do? If he comes forward, they can accuse of him of an attack. If he remains silent, the problem isn't fixed, and he might (especially if he is a security professional) be in trouble for not alerting anyone about this vulnerability, and there is record in the log files that he knew about it.

    What's the best way to go about disclosing to a company that their network presence is vulnerable? What are the legal ramifications of doing so?
  • Do no harm (Score:2, Insightful)

    by Anonymous Coward

    Doctors take an oath swearing to not use their medical knowledge to do harm. This is a philosophy the security community should follow.

    There is no need to publish the full details of security flaw, including working exploit code, until after the vendor has fixed it and some time has gone by to give people time to apply the fix.

    Some people believe they should immediately publish full details and exploit code without bothering with the vendor or without giving them time to fix the problem. That is irre

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...