Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?

2007-03-07 Thread Steven M. Christey

Based on my general impressions in day-to-day operations for CVE (around
150 new vulns a week on average), maybe 40-60% of disclosures happen
without any apparent attempt at vendor coordination, another 10-20% with a
communication breakdown (including they didn't answer in 2 days), and
the rest coordinated.  A bit of a guess there, though.

The only remotely relevant survey that I can think of was by me and
Barbara Pease, 6 years ago in 2001, and we were reduced to qualitative
analysis because data collection turned out to be too expensive, and this
was focused on vendor acknowledgement (which holds steady at 50% no matter
what the year).  But disclosure timelines are thankfully more prevalent
these days, so an updated study would be more illuminating.  I'm looking
forward to Richard Forno's study of vuln researchers whenever it comes

For obligatory SC-L content: this is one reason why I think vendor
development/maintenance processes need to be prepared for non-coordinated

- Steve
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

[SC-L] IEEE Workshop: Web 2.0 Security Privacy

2007-03-07 Thread Larry Koved
This is a workshop that may be of interest to subscribers of this mailing 

   Workshop Call for Position Papers

  W2SP 2007: Web 2.0 Security and Privacy 2007

  Sponsored by the IEEE Technical Committee on Security and Privacy
Held in conjunction with the 2007 IEEE Symposium on Security and Privacy

 Thursday, May 24, The Claremont Resort, Oakland, California

The goal of this one day workshop is to bring together researchers and
practitioners from academia and industry to focus on understanding Web
2.0 security and privacy issues, and establishing new collaborations
in these areas.

Web 2.0 is about connecting people and amplifying the power of working
together.  The goal of connecting people is bringing together a broad
range of technologies and social forces.  We have witnessed a rapid
proliferation of social computing web sites and content.  This mixing
of technology and social interaction is also occurring in the context
of a wave of technologies supporting rapid development of these
interpersonal interactions.

Many of these new web technologies rely on the composition of content
and services from multiple sources. On one end of the technology
spectrum we have simple services such as blogs and wikis. However
there are far more complex technology composition (mash-up) examples.
The content composition trend is likely to continue. The lure is the
promise of inexpensive and easy ways to compose software service and

However, there are issues with respect to management of identities,
reputation, privacy, anonymity, transient and long term relationships,
and composition of function and content, both on the server side and
inside the web browser.  While the security and privacy issues are not
new (many of these issues already exist with portal servers and
browsers), the security issue is increasingly becoming acute as the
technologies are adopted and adapted to appeal to a wider developer
audience. Some of these technologies deliberately bypass existing
security mechanisms.  This workshop is intended to discuss the
limitations of the current technologies and explore alternatives.

The scope of W2SP 2007 includes, but is not limited to:

-- Identity, privacy, reputation and anonymity
-- End-to-end security architectures
-- Security of content composition
-- Security and privacy policy definition and modeling of 
   content composition
-- Provenance and governance
-- Usable security and privacy models
-- Static and dynamic analysis for security
-- Security as a service

Workshop Co-Chairs:  [EMAIL PROTECTED]
Larry Koved,  IBM T. J. Watson Research Center
Dan Wallach,  Rice University

Program committee:

Drew Dean (Yahoo)
Simone Fischer-Hubner (Karlstad University)
Larry Koved (IBM)
Shriram Krishnamurthi (Brown University)
John C. Mitchell (Stanford University)
Alex Russell (
Dan Wallach (Rice University)
Helen Wang (Microsoft)

Due to space limitations of the workshop venue registration is limited
to 40 participants.  While not required, potential workshop
participants should submit a 1-2 page position statement on topics
relevant to Web 2.0 security and privacy issues.  This will help the
workshop organizers organize the day around topics of common interest,
and choose panels / papers to be presented.  Should the workshop be
oversubscribed, the program committee will strive to select
participants in a way that is balanced between academia and industry,
as well as across topics.  The program committee will also select
workshop position statements to appear on the workshop web site.

Important dates:
Position statement submission deadline: March 23, 2007
Workshop acceptance notification date: March 30, 2007
Workshop date: Thursday May 24, 2007

Workshop position statement submission web site:

Workshop registration will only be available via the 
2007 IEEE Symposium on Security and Privacy conference web site.

Larry Koved
IBM T.J. Watson Research Center
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.