Re: Draft of security disclosure best practices

“full” or “responsible” seem like unnecessary qualifiers on disclosure that will end up being too much the focus of debate. I like that the current proposal simply sticks to “disclosure” by itself.

Jason

On 3/2/17, 11:41 AM, "Mark Watson" <watsonm@netflix.com<mailto:watsonm@netflix.com>> wrote:

Rich,

There's obviously scope for debate about the best approach in any given case, and you make an eloquent argument for one approach.

However, I think what is being said here is that for the case where a security researcher choose the "responsible disclosure" path:
(1) It it better that companies have policies about this, rather than no policies, and
(2) We can write guidelines that can help companies improve those policies

I actually don't think the W3C should step into the debate over whether "full disclosure" or "responsible disclosure" (for want of better terms) is "more responsible" - or at least not as part of this activity - not least because there is a case by case judgement to be made and I agree with your assertion that the security researchers in question are best placed to make that judgement.

Perhaps the proposed guidelines should be clearer on that point ?

...Mark

On Thu, Mar 2, 2017 at 4:21 AM, Rich Kulawiec <rsk@gsp.org<mailto:rsk@gsp.org>> wrote:
On Tue, Feb 28, 2017 at 04:17:31PM -0500, Philippe Le H??garet wrote:
> I don't think the draft is disagreeing with this statement. It proposes a
> time period "(usually not to exceed 90 days)" before full disclosure can be
> published, attempting to find a balance between existing regulations and
> researchers needs.

The draft *sharply* disgrees with my statement.  I'm advocating immediate
full disclosure (with no prior notification to anyone) as the default
approach -- with an allowance for the very few edge cases in which this
would cause substantial damage to the privacy/security of third parties,
that judgment to be made by the people best-positioned to make it:
security researchers.

(It's worth noting that all security researchers worldwide combined could
not do more damage to the privacy/security of third parties in a year --
even if we worked overtime -- than many vendors/operations do in a day.
Example: overnight, Yahoo announced a THIRD massive data breach, no
doubt yet another unintended consequence of their decision to
deliberately undercut their own security team.)

> It is actually meant as a coordinated disclosure template. It doesn't use
> the term "responsible disclosure" and doesn't attempt to push to shift
> responsibilities around.

I'm well aware that the draft doesn't use that term, however it clearly
articulates an approach that's generally called "responsible disclosure"
as a term of art by participants in the security field.  I quoted it
throughout my message to reflect my view that "responsible disclosure"
is actually very irresponsible: that is, this approach in practice is
precisely the opposite of what responsible researchers should do.

---rsk

Received on Thursday, 2 March 2017 23:57:16 UTC