Security Proposal Renews Old Debate | eWeek

Security Proposal Renews Old Debate

Verfasst von
Dennis Fisher
Dennis Fisher
Mar 4, 2002
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

A proposal for a new process for disclosing security vulnerabilities has reignited the old debate over how flaws should be published and whether theres any way to regulate the process.

The document, titled “Responsible Disclosure Process,” outlines a detailed, step-by-step process for everyone involved in the discovery and reporting of vulnerabilities—including researchers, vendors and third-party security experts.

Written by Chris Wysopal, director of research and development at @Stake Inc., in Cambridge, Mass., and Steve Christey, lead information security engineer at The Mitre Corp., based in Bedford, Mass., the document was forwarded to the Internet Engineering Task Force last week.

Its release comes at a time when the security community is struggling to find a common policy for vulnerability disclosure that is acceptable to everyone involved. This is a goal that many acknowledge may be unrealistic, considering the vastly differing motivations of the various players.

Wysopal and Christeys document, known as an Internet-Draft in IETF terminology, suggests that vendors work closely with the researchers who discover security flaws and keep them updated as the vendors work on patches or workarounds for vulnerabilities. Specifically, the proposal asks that vendors acknowledge receipt of the vulnerability report within seven days and provide a detailed response within 10 days.

The document also suggests that the vendor contact the person who found the flaw, called a “reporter” in the document, every seven days during the patch-research process and try to resolve the vulnerability within 30 days.

The proposal also lays out specific behavior for the reporters, a group that includes legitimate security researchers in corporate labs, hackers, researchers at security vendors looking for free publicity and any number of other participants.

However, some critics say the proposal is too detailed and lacks a set of consequences for researchers and vendors that fail to adhere to it.

“In general, I think its too detailed and long, fails to define repercussions if its not adhered to, puts too much onus on vendors, and fails to put enough responsibility on discoverers,” said Russ Cooper, surgeon general at TruSecure Corp., based in Herndon, Va.

“In my mind, you have to penalize those people who perpetrate attacks and those people who dont adequately secure the systems and networks they own or run,” said Cooper. “You crack down at the ISPs and make them do more to limit the effects of globally disseminated information.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.