Full disclosure: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
m (link format)
m (Text replacement - "{{subpages}}" to "{{PropDel}}<br><br>{{subpages}}")
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{subpages}}
{{PropDel}}<br><br>{{subpages}}
<!-- Please ignore (but don't delete) any formatting that you are not familiar with. Others will probably chime in to help you set things up. -->
 
'''Full disclosure''' is a computer security vulnerability policy.  There has been much debate about full disclosure and responsible disclosure.  Disclosure policy is generally a matter of preference as no formalized or accepted guidelines exist.  Full disclosure is the policy of releasing computer security vulnerability details (and associated exploit code) to the internet without first informing the vendor and allowing them to fix the issue.  Such unfixed bugs are known as 0-day (pronounced "zero day" or "oh day"), since they can be used against systems without hope that users could patch.  The so called "0-day threat" refers to the ability of systems to respond to undisclosed or previously unknown vulnerabilities.
'''Full disclosure''' is a computer security vulnerability policy.  There has been much debate about full disclosure and responsible disclosure.  Disclosure policy is generally a matter of preference as no formalized or accepted guidelines exist.  Full disclosure is the policy of releasing computer security vulnerability details (and associated exploit code) to the internet without first informing the vendor and allowing them to fix the issue.  Such unfixed bugs are known as 0-day (pronounced "zero day" or "oh day"), since they can be used against systems without hope that users could patch.  The so called "0-day threat" refers to the ability of systems to respond to undisclosed or previously unknown vulnerabilities.


Line 8: Line 6:
[http://www.wiretrip.net/rfp/policy.html RFPolicy] is one of the most commonly cited and influential disclosure policies.  It outlines a method of communication with vendors to work towards a resolution of a security vulnerability.  The policy includes the implicit threat that uncooperative vendors will risk full disclosure.
[http://www.wiretrip.net/rfp/policy.html RFPolicy] is one of the most commonly cited and influential disclosure policies.  It outlines a method of communication with vendors to work towards a resolution of a security vulnerability.  The policy includes the implicit threat that uncooperative vendors will risk full disclosure.


Microsoft has responded to the full disclosure debate by describing a process of [http://blogs.technet.com/b/ecostrat/ coordinated disclosure], as opposed to the older concept of so-called "responsible disclosure."  Coordinated disclosure defines a process for working alongside a vendor to fix issues while still disclosing.
Microsoft has responded to the full disclosure debate by describing a process of [http://blogs.technet.com/b/msrc/archive/2010/07/22/announcing-coordinated-vulnerability-disclosure.aspx coordinated disclosure], as opposed to the older concept of so-called "responsible disclosure."  Coordinated disclosure defines a process for working alongside a vendor to fix issues while still disclosing.
 
<references/>
 
<!--Please ignore the following lines if you are not familiar with the usage of subpages at Citizendium.-->


[[Category:CZ Live]]
{{reflist}}
[[Category:Articles without metadata]]
[[Category:Stub Articles]]
[[Category:Needs Workgroup]]

Latest revision as of 05:48, 8 April 2024

This article may be deleted soon.
To oppose or discuss a nomination, please go to CZ:Proposed for deletion and follow the instructions.

For the monthly nomination lists, see
Category:Articles for deletion.


This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

Full disclosure is a computer security vulnerability policy. There has been much debate about full disclosure and responsible disclosure. Disclosure policy is generally a matter of preference as no formalized or accepted guidelines exist. Full disclosure is the policy of releasing computer security vulnerability details (and associated exploit code) to the internet without first informing the vendor and allowing them to fix the issue. Such unfixed bugs are known as 0-day (pronounced "zero day" or "oh day"), since they can be used against systems without hope that users could patch. The so called "0-day threat" refers to the ability of systems to respond to undisclosed or previously unknown vulnerabilities.

Full disclosure also refers to an unmoderated mailing list operated by http://grok.org.uk. The list charter states any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information." The mailing list serves as an outlet for vulnerability disclosures.

RFPolicy is one of the most commonly cited and influential disclosure policies. It outlines a method of communication with vendors to work towards a resolution of a security vulnerability. The policy includes the implicit threat that uncooperative vendors will risk full disclosure.

Microsoft has responded to the full disclosure debate by describing a process of coordinated disclosure, as opposed to the older concept of so-called "responsible disclosure." Coordinated disclosure defines a process for working alongside a vendor to fix issues while still disclosing.