[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines

To: OIS <announcements@xxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines
From: Florian Weimer <fw@xxxxxxxxxxxxx>
Date: Mon, 05 Jul 2004 23:36:23 +0200

> The Organization for Internet Safety (OIS) extends an invitation to
> the readers of the BugTraq, NTBugtraq, and Full-Disclosure mailing
> lists to participate in the ongoing public review of the OIS Security
> Vulnerability Reporting and Response Guidelines.

The definition of the term "security vulnerability" still does not
match current industry practice.  Almost all COTS software lacks a
publicly reviewable design document, and popular software has not been
designed for Internet security *at* *all*.  In a few cases, this is
even acknowledged by the vendor (think of Microsoft Windows Me or
Microsoft Windows NT).

In fact, I can't think of any recent, critical vulnerability that
matches your definition of a vulnerability.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines
  - From: OIS

Prev by Date: [Full-Disclosure] [sb] [ GLSA 200407-03 ] Apache 2: Remote denial of service attack
Next by Date: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
Previous by thread: Re: [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines
Next by thread: Betr.: Re: [Full-Disclosure] Fix for IE ADODB.Stream vulnerability is out
Index(es):
- Date
- Thread