[ NNSquad ] Disclosure timeline for vulnerabilities under active attack

NNSquad - Network Neutrality Squad
NNSquad Home Page
NNSquad Mailing List Information

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Disclosure timeline for vulnerabilities under active attack

To: nnsquad@nnsquad.org
Subject: [ NNSquad ] Disclosure timeline for vulnerabilities under active attack
From: Lauren Weinstein <lauren@vortex.com>
Date: Wed, 29 May 2013 17:53:34 -0700

Disclosure timeline for vulnerabilities under active attack

http://j.mp/10B4cI2  (Google Online Security Blog)

   "Our standing recommendation is that companies should fix critical
    vulnerabilities within 60 days -- or, if a fix is not possible, they
    should notify the public about the risk and offer workarounds. We
    encourage researchers to publish their findings if reported issues
    will take longer to patch. Based on our experience, however, we
    believe that more urgent action -- within 7 days -- is appropriate for
    critical vulnerabilities under active exploitation. The reason for
    this special designation is that each day an actively exploited
    vulnerability remains undisclosed to the public and unpatched, more
    computers will be compromised.  Seven days is an aggressive timeline
    and may be too short for some vendors to update their products, but it
    should be enough time to publish advice about possible mitigations,
    such as temporarily disabling a service, restricting access, or
    contacting the vendor for more information. As a result, after 7 days
    have elapsed without a patch or advisory, we will support researchers
    making details available so that users can take steps to protect
    themselves. By holding ourselves to the same standard, we hope to
    improve both the state of web security and the coordination of
    vulnerability management."

 - - -

This is indeed a very aggressive (but entirely appropriate) proposal
and policy, especially in light of the current environment.

--Lauren--
Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren 
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
Founder:
 - Network Neutrality Squad: http://www.nnsquad.org 
 - PRIVACY Forum: http://www.vortex.com/privacy-info
 - Data Wisdom Explorers League: http://www.dwel.org
 - Global Coalition for Transparent Internet Performance: http://www.gctip.org
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren / Twitter: http://vortex.com/t-lauren 
Tel: +1 (818) 225-2800 / Skype: vortex.com
_______________________________________________
nnsquad mailing list
http://lists.nnsquad.org/mailman/listinfo/nnsquad

Prev by Date: [ NNSquad ] Google's looking for privacy engineers
Next by Date: [ NNSquad ] FBI ran a c-porn site
Previous by thread: [ NNSquad ] Google's looking for privacy engineers
Next by thread: [ NNSquad ] FBI ran a c-porn site
Index(es):
- Date
- Thread