On Sat, Jan 07, 2006 at 04:59:48PM +0100, Florian Weimer wrote: > * Georgi Guninski: > > > so you approve gaining pseudo credibility by practicing mouse copy/paste? > > > > then this pseudo credibility leads to corporate serving/licking like: > > "responsible disclosure rfc" - search for it. > > > > not than coley is consistent at all (besides lacking completeness): > > http://www.cve.mitre.org/board/archives/2002-02/msg00026.html > > ------------------- > > - The Board has agreed that CNAs should not reserve candidates for > > people who do not practice responsible disclosure (candidates would > > be assigned *after* publication). I hope that this document, or a > > later version, will become part of the "definition" of responsible > > disclosure. > > ------------------- > > Yes, this puzzles me too, but on the other hand, Debian became a CNA, > and Debian's official policy is geared away from "responsible > disclosure" -- all bug reports are supposed to be public.
Debian isn't a CNA; as far as I know, it isn't possible for organizations to become CNAs. Some of the people in security-related roles in Debian are also (individually) CNAs. Additionally, Debian has traditionally participated in coordinated disclosure, before CVE existed. -- - mdz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
