[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Dailydave] Re: [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines

Interesting they skipped VulnWatch in this mailing.........  

> -----Original Message-----
> From: dailydave-bounces@xxxxxxxxxxxxxxxxxxxxx 
> [mailto:dailydave-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of dave
> Sent: Sunday, July 04, 2004 11:19 AM
> To: OIS
> Cc: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx; 
> bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxx
> Subject: [Dailydave] Re: [Full-Disclosure] Public Review of 
> OIS Security Vulnerability Reporting and Response Guidelines
> 
> Nobody trusts the OIS or its motives. I imagine this is 
> similar to the feedback you've gotten from everyone else as 
> well, but Immunity has no plans to subscribe to your 
> guidelines, and is going to oppose any efforts you make to 
> legislate those guidelines as law. In section 1.1 the draft 
> proposes that the purpose of the OIS's model is to protect 
> systems from vulnerabilities. This is fairly obviously untrue 
> - the purpose of the OIS is to lobby towards a business model 
> for Microsoft and the other OIS members that involves the 
> removal of non-compliant security researchers.
> 
> This call for feedback is a thinly disguised attempt to get 
> public legitimacy and allow the OIS to claim it has community 
> backing, which it clearly does not.
> 
> It's rare, but there are still security companies and 
> individuals who do not owe their entire business to money 
> from Microsoft. It's July 4th. 
> and some of us are Americans who understand the concept of 
> independance.
> 
> Dave Aitel
> Immunity, Inc.
> 
> 
> 
> 
> OIS wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > The Organization for Internet Safety (OIS) extends an invitation to 
> > the readers of the BugTraq, NTBugtraq, and Full-Disclosure mailing 
> > lists to participate in the ongoing public review of the 
> OIS Security 
> > Vulnerability Reporting and Response Guidelines.
> > The OIS reviews the Guidelines annually to ensure that they remain 
> > useful and relevant to the security community and, most 
> importantly, 
> > to the millions of computer users who are the ultimate 
> beneficiaries 
> > of effective computer security practices.  Over the past 
> year, OIS has 
> > received feedback from many adopters of the Guidelines as 
> well as from 
> > several public-private partnerships, and have incorporated much of 
> > this feedback into an interim version that is available at 
> > http://www.oisafety.org/review/draft-1.5.pdf.  We recommend 
> reviewing 
> > the interim version, but reviewers are welcome to provide 
> feedback on 
> > the original version at 
> http://www.oisafety.org/reference/process.pdf
> > if they would like.
> >
> > For more information on the public review, please visit 
> > http://www.oisafety.org/review-1.5.html.  The closing date for the 
> > review has been extended until 16 July 2004.  We look 
> forward to your 
> > feedback.
> >
> > Regards,
> >
> > The Organization for Internet Safety
> > www.oisafety.org
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.0.3
> >
> > iQA/AwUBQOWQgbF9hclyvjnOEQIhmACfYlaHX2NnJbHUCaCYfMHO4tkGDh0AoMzz
> > KWNTvxgQVKXiC1OU9CR/rXYF
> > =4mT/
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave@xxxxxxxxxxxxxxxxxxxxx
> http://www.immunitysec.com/mailman/listinfo/dailydave
> 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html