* Matthew Murphy: > Let me just define "responsible disclosure" first of all, so as to > dissociate myself from the lunatic lawyers of certain corporations > (Cisco, HP, ISS, et al) who define "responsible disclosure" as > "non-disclosure". The generally accepted definition of responsible > disclosure is simply allowing vendors advance notification to fix > vulnerabilities in their products before information describing such > vulnerabilities is released.
Back in 2001, this was called "full disclosure", see: <http://www.wiretrip.net/rfp/policy.html> (The document is probably even older, use archive.org to find out.) In retrospect, "responsible disclosure" was always more a marketing term than anything else (just like "blended threat"). The implicit message that other disclosure processes were irresponsible was invaluable. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
