Full disclosure: Difference between revisions
imported>Justin C. Klein Keane (Updated coordinated disclosure link to Microsoft) |
imported>Meg Taylor No edit summary |
||
Line 1: | Line 1: | ||
{{subpages}} | {{subpages}} | ||
'''Full disclosure''' is a computer security vulnerability policy. There has been much debate about full disclosure and responsible disclosure. Disclosure policy is generally a matter of preference as no formalized or accepted guidelines exist. Full disclosure is the policy of releasing computer security vulnerability details (and associated exploit code) to the internet without first informing the vendor and allowing them to fix the issue. Such unfixed bugs are known as 0-day (pronounced "zero day" or "oh day"), since they can be used against systems without hope that users could patch. The so called "0-day threat" refers to the ability of systems to respond to undisclosed or previously unknown vulnerabilities. | '''Full disclosure''' is a computer security vulnerability policy. There has been much debate about full disclosure and responsible disclosure. Disclosure policy is generally a matter of preference as no formalized or accepted guidelines exist. Full disclosure is the policy of releasing computer security vulnerability details (and associated exploit code) to the internet without first informing the vendor and allowing them to fix the issue. Such unfixed bugs are known as 0-day (pronounced "zero day" or "oh day"), since they can be used against systems without hope that users could patch. The so called "0-day threat" refers to the ability of systems to respond to undisclosed or previously unknown vulnerabilities. | ||
Line 10: | Line 8: | ||
Microsoft has responded to the full disclosure debate by describing a process of [http://blogs.technet.com/b/msrc/archive/2010/07/22/announcing-coordinated-vulnerability-disclosure.aspx coordinated disclosure], as opposed to the older concept of so-called "responsible disclosure." Coordinated disclosure defines a process for working alongside a vendor to fix issues while still disclosing. | Microsoft has responded to the full disclosure debate by describing a process of [http://blogs.technet.com/b/msrc/archive/2010/07/22/announcing-coordinated-vulnerability-disclosure.aspx coordinated disclosure], as opposed to the older concept of so-called "responsible disclosure." Coordinated disclosure defines a process for working alongside a vendor to fix issues while still disclosing. | ||
{{reflist}} | |||
Revision as of 03:02, 7 October 2013
Full disclosure is a computer security vulnerability policy. There has been much debate about full disclosure and responsible disclosure. Disclosure policy is generally a matter of preference as no formalized or accepted guidelines exist. Full disclosure is the policy of releasing computer security vulnerability details (and associated exploit code) to the internet without first informing the vendor and allowing them to fix the issue. Such unfixed bugs are known as 0-day (pronounced "zero day" or "oh day"), since they can be used against systems without hope that users could patch. The so called "0-day threat" refers to the ability of systems to respond to undisclosed or previously unknown vulnerabilities.
Full disclosure also refers to an unmoderated mailing list operated by http://grok.org.uk. The list charter states any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information." The mailing list serves as an outlet for vulnerability disclosures.
RFPolicy is one of the most commonly cited and influential disclosure policies. It outlines a method of communication with vendors to work towards a resolution of a security vulnerability. The policy includes the implicit threat that uncooperative vendors will risk full disclosure.
Microsoft has responded to the full disclosure debate by describing a process of coordinated disclosure, as opposed to the older concept of so-called "responsible disclosure." Coordinated disclosure defines a process for working alongside a vendor to fix issues while still disclosing.