[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] "responsible disclosure" explanation (an example of the fallacy of idealistic thought)
- To: Matthew Murphy <mattmurphy@xxxxxxxxx>
- Subject: Re: [Full-disclosure] "responsible disclosure" explanation (an example of the fallacy of idealistic thought)
- From: Florian Weimer <fw@xxxxxxxxxxxxx>
- Date: Thu, 11 Aug 2005 19:15:27 +0200
* Matthew Murphy:
> Let me just define "responsible disclosure" first of all, so as to
> dissociate myself from the lunatic lawyers of certain corporations
> (Cisco, HP, ISS, et al) who define "responsible disclosure" as
> "non-disclosure". The generally accepted definition of responsible
> disclosure is simply allowing vendors advance notification to fix
> vulnerabilities in their products before information describing such
> vulnerabilities is released.
Back in 2001, this was called "full disclosure", see:
<http://www.wiretrip.net/rfp/policy.html>
(The document is probably even older, use archive.org to find out.)
In retrospect, "responsible disclosure" was always more a marketing
term than anything else (just like "blended threat"). The implicit
message that other disclosure processes were irresponsible was
invaluable.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/