On Fri, 17 Dec 2004, security curmudgeon wrote:
In each case, Professor Bernstein notified the author of the vulnerable
package on Dec 15 via e-mail. This mail hit Bugtraq on the 16th, giving
one day for vendors to provide fixes.
Is the class on responsible disclosure next semester perhaps?
To be honest, I was pleasantly surprised that DJB had bothered to contact
the authors at all. He once said, in a discussion about the
securesoftware mailing list, which he touted at the time as a competitor
to bugtraq:
"Immediate full disclosure, with a working exploit, punishes the
programmer for his bad code. He panics; he has to rush to fix the problem;
he loses users.
You're whining that punishment is painful. You're ignoring the effect
that punishment has on future behavior. It encourages programmers to
invest the time and effort necessary to eliminate security problems."
http://groups-beta.google.com/group/comp.security.unix/msg/e576548f53195b01
By which standard, 24 hours is the height of responsibility. Admittedly,
the vulnerabilities were notified to the securesoftware list
(http://securesoftware.list.cr.yp.to/archives.html) concurrently with
author notification, but since there have been only 57 messages sent to
that list in the last three years, 44 of which were the student discovered
vulnerabilities themselves, I doubt it has a large readership ;-)
The actual notifications to the world (via slashdot and later bugtraq)
don't seem necessarily to have occurred at DJB's instigation, so he may
have been intending to give the authors a chance after all.
Notwithstanding all that, the course itself seems like an excellent idea
to me, and it will be interesting to see if useful statistics on the rates
incidence of security holes in software, and techniques for detecting them
and, ideally, preventing their inclusion in the first place, come out of
it.
Julian
--
Julian T. J. Midgley http://www.xenoclast.org/
Cambridge, England.
PGP: BCC7863F FP: 52D9 1750 5721 7E58 C9E1 A7D5 3027 2F2E BCC7 863F
