Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

On responsible disclosure...

singularity (2031) writes | more than 9 years ago

Security 1

A C|Net article, as referenced on Macintouch:

A C|Net article, as referenced on Macintouch:

At the heart of the issue is the software industry push for "responsible" disclosure, which calls on researchers to delay the announcement of security holes so that manufacturers have time to patch them. That way, people who use flawed products are protected from attack, the argument goes. But the approach also has benefits for software makers, a security expert pointed out.

"As long as the public doesn't know the flaws are there, why spend the money to fix them quickly?" said Bruce Schneier, chief technology officer at Counterpane Internet Security, a network monitoring company. "Only full disclosure keeps the vendors honest."

Hey - I have a solution! Who not simply say "Our policy is to release the details of the hole exactly one month after notifying the company."?

Mr. Schneier is correct - only full disclosure will keep the vendors honest. I do not see how giving a set time before releasing the exploit causes problems with this.

Now, I will say it is very possible that the article was written to have these two somewhat unrelated paragraphs next to each other. One seems to be talking about an embargo for a while after notifying the company, and the Counterpane quote seems to be talking about justifying releasing the information at all.

cancel ×

1 comment

I can think of one problem with it (1)

Marxist Hacker 42 (638312) | more than 9 years ago | (#11497655)

Not all bugs can be fixed in a month. Some may take a few hours, some may take a complete re-engineering of the system and a four-month software cycle to complete.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...