On Wednesday 11 January 2006 13:18, you wrote: > : > : It's probably worse. Any vulnerabilities found will almost assuredly > : be classified or at least FOUO. > > That is so wrong, I can't even describe it. > > (Note: I am an employee of Coverity)
Really? What about NSTISSD 503, "Incident Response and Vulnerability Reporting for National Security System", "Protection of Vulnerability Reports - a. Vulnerability reports shall be protected from public disclosure in accordance with applicable statures, directives, executive orders, and regulations. b. Vulnerability reports for commercial off-the shelf systems or components...shall be unclassified and marked...FOUO. c. Reports of vulnerabilities in national security systems that are not available for purchase by the general public shall be unclassified unless the exploitation of the vulnerability would result in the compromise of classified information or would present a significant negative impact on a national security organizational mission. In those instances, the originator may place a maximum classification on the vulnerability report equal to the level of the classified information processed on that system." -- John R. Shannon
