Re: Draft of security disclosure best practices from Mark Watson on 2017-03-02 (public-security-disclosure@w3.org from March 2017)

From: Mark Watson <watsonm@netflix.com>
Date: Thu, 2 Mar 2017 08:41:48 -0800
To: Rich Kulawiec <rsk@gsp.org>
Cc: public-security-disclosure@w3.org
Message-ID: <CAEnTvdDmpbbJ80GgkCBHeGE4z7=KprqEKu=V5XCMv1dnHZytoA@mail.gmail.com>

Rich,

There's obviously scope for debate about the best approach in any given
case, and you make an eloquent argument for one approach.

However, I think what is being said here is that *for the case where a
security researcher choose the "responsible disclosure" path:*
(1) It it better that companies have policies about this, rather than no
policies, and
(2) We can write guidelines that can help companies improve those policies

I actually don't think the W3C should step into the debate over whether
"full disclosure" or "responsible disclosure" (for want of better terms) is
"more responsible" - or at least not as part of this activity - not least
because there is a case by case judgement to be made and I agree with your
assertion that the security researchers in question are best placed to make
that judgement.

Perhaps the proposed guidelines should be clearer on that point ?

...Mark

On Thu, Mar 2, 2017 at 4:21 AM, Rich Kulawiec <rsk@gsp.org> wrote:

> On Tue, Feb 28, 2017 at 04:17:31PM -0500, Philippe Le H??garet wrote:
> > I don't think the draft is disagreeing with this statement. It proposes a
> > time period "(usually not to exceed 90 days)" before full disclosure can
> be
> > published, attempting to find a balance between existing regulations and
> > researchers needs.
>
> The draft *sharply* disgrees with my statement.  I'm advocating immediate
> full disclosure (with no prior notification to anyone) as the default
> approach -- with an allowance for the very few edge cases in which this
> would cause substantial damage to the privacy/security of third parties,
> that judgment to be made by the people best-positioned to make it:
> security researchers.
>
> (It's worth noting that all security researchers worldwide combined could
> not do more damage to the privacy/security of third parties in a year --
> even if we worked overtime -- than many vendors/operations do in a day.
> Example: overnight, Yahoo announced a THIRD massive data breach, no
> doubt yet another unintended consequence of their decision to
> deliberately undercut their own security team.)
>
> > It is actually meant as a coordinated disclosure template. It doesn't use
> > the term "responsible disclosure" and doesn't attempt to push to shift
> > responsibilities around.
>
> I'm well aware that the draft doesn't use that term, however it clearly
> articulates an approach that's generally called "responsible disclosure"
> as a term of art by participants in the security field.  I quoted it
> throughout my message to reflect my view that "responsible disclosure"
> is actually very irresponsible: that is, this approach in practice is
> precisely the opposite of what responsible researchers should do.
>
> ---rsk
>
>

Received on Thursday, 2 March 2017 17:46:27 UTC