Even though eEye worked with Microsoft to correct the problem, and timed the release of its research with the release of Microsoft's own security bulletin and patch, certain circles still chastised eEye because the company's information included a working example. When eEye recently produced a sample program that demonstrates a security problem with Microsoft IIS, many users frowned on the company for doing so. But now it seems those practices are no longer good enough.Ĭase in point: eEye Digital Security. Both policies seem reasonable, and many hackers adhere to the policies. Russ Cooper has such a policy posted on his Web site however, a policy known as RFPolicy, authored by a person using the alias "rain forest puppy," is probably the most widely used standard in the hacker community today.Īccording to either policy, the basic course of action is for the hacker to notify the vendor about the alleged bug, give the vendor a reasonable response time, give the vendor time to produce a patch, and release the bug information in relative unison (not beforehand) with the company suffering from the bug.
Those discussions eventually led to several written policies that suggest a proper course of action that hackers should take with any release of security risk information.
#DIVISION OUT OF MAP ROGUE GLITCH FULL#
Also, heated discussions have taken place in past years about full disclosure of security risk details. The rogues of the hacker community have already proven that when given only minor details about a bug, they can produce a working exploit in a relatively short amount of time. Why not keep it amongst the people who are considered responsible security practitioners? Most attackers aren't smart enough to write exploits themselves, so they rely on other people to release them."Īctually, Cooper's statements make slight sense to me, but such a forum simply won't work.
In the article, Cooper said, "It's better for everyone if we keep \ to ourselves. Cooper didn't say how the forum will entice membership from the worldwide hacker community, but nonetheless, its objective seems clear: Curb the release of risk details in a manner that prevents exploitation. According to an article at MSNBC, Russ Cooper, moderator of the NTBugTraq mailing list and surgeon general at TruSecure, has undertaken a project to create what he calls the "Responsible Disclosure Forum." Cooper thinks such a forum will better govern the release of security risk information to the public because the forum will decide what information to release and when to release it. The practice of full disclosure of security risk information is again under attack.
0 kommentar(er)
