On Sun, Jan 15, 2006 at 11:43:34PM +0100, Max Vozeler wrote:
> this is an idea I've been playing with. I'm not sure I like it,
> but it seems interesting enough to consider.
Seconded.
> The process of auditing a source tree, finding potential bugs,
> evaluating their exploitability and scope, writing POCs and then
> discussing things with upstream and the security teams currently
> happens behind closed doors and largely in isolation. This closed
> nature of auditing work is probably inherent in the established
> "responsible disclosure" thing and IMHO makes sense to some extent.
Yes.
> But, at least in my view, it looses the fun involved in working
> with others on new vulnerabilities and seems to stand in the way
> of more cooperation between us people who audit software.
Definitely.
> A few times I've wanted to send something to debian-audit but
> then didn't because it would have disclosed information about a
> particular bug. So I thought: It would be cool to have a place for
> discussing things like new potential bugs, whether/how they are
> exploitable, possible fixes etc. without needing to water down the
> details enough for no bug information to get disclosed (which
> is probably impossible in some instances and boring in others.)
That is a good idea. In the past I've used livejournal for that
purpose, limiting access to a defined group of people and hoping
they won't leak. (To date nobody has, but also to date nothing
has been terribly severe or serious either.)
> About making this list closed: At first sight, it seems like it
> would go against #3 of our social contract, but I think it does
> not. The current process is largely closed already, and so not much
> better with regard to the social contract. A closed list would
> allow us to discuss things in private with a policy that those
> discussions get published somewhere as soon as the vulnerability
> itself becomes public. The result would be a much more open and
> transparent process than it currently is.
>
> What do you guys think?
I think the practical nature of publishing things after the
fact might be hard to manage. (Unless there is some magical
mailing list software that does the job already, of course.)
I could setup a list and have no archives fairly easily if
people thought that was useful. I think that mailman has a
mode for requiring approval from new members, but I'd need
to check.
Steve
--Received on Sun Jan 15 2006 - 22:48:23 GMT