Shostack + Friends Blog Archive


Vulnerability Disclosure Agents Part N

Recently Dave G of Matasano (and smoked salt) fame two interesting articles on Vulnerability Disclosure Markets. In the second one, he reposted a user’s comment:

Based on the failing (due to agenda) of (particular) Researchers, Coordinators (i.e. FIRST Members) and Vendors – Which “trusted person or organization” is left “that can represent vulnerability researchers whose reputation is at stake when dealing with vendors.”?

Let’s assume for a moment that, in fact, there is no one that currently fills this role to everyone’s satisfaction. Furthermore, let us assume that (at least for certain large vendors) that while the extant systems more or less works, everyone wishes it were smoother and easier.
How do we improve the situation? Vendors really don’t like the vulnerability markets, researchers, quite understandably, fear liability and users just want fixes. How role for a vulnerability disclosure agent straddle this three sided fence? It seems to me that ideally, the agent would be a respected disinterested third party who was preferably a not-for-profit who didn’t accept funding from either vendors or researchers. Coming from the corporate side, that sounds like a good balance to me. What say you? Does this make sense? Are there pitfalls I’m missing?

One comment on "Vulnerability Disclosure Agents Part N"

  • I think one piece of the debate/discussion we need to be clear about is vulnerabilities in what…
    – Client software
    – Websites
    There is a much bigger legal liability issue for the latter, though for some data on this check Jeremiah’s post today about policies in this area.
    Me – I’m not a big fan of markets, and especially not a big fan if the vuln is part of an online product.

Comments are closed.