Vulnerabilities are not like passwords. Passwords cannot be discovered
by experimentation and analysis (well, not if they are good
passwords). Passwords provide no risk unless actively disclosed.
Vulnerabilities _do_ constitute an active risk regardless of whether
they are disclosed or not, as people looking for them can (and will)
find them eventually, and once they have, the details will spread
explosively. Exposing them before they are fixed at least gives users
the chance to defend themselves before this happens, even if that
means closing down systems.
If there is a vulnerability in SL which was not already widely known -
and how can one tell? - and which LL knew that they could fix quite
shortly, then it would be best to err towards keeping it quiet until
it was fixed. If there is not progress on fixing a vulnerability then
it needs to be publicised so that people can account for it.
On 26 Dec 2008, at 19:08, Sheet Spotter wrote:
I made a few assumptions that may not be shared by everyone:
1. Vulnerabilities must not be publicly disclosed before they are
corrected.
2. Vulnerabilities must be promptly assessed and mitigated by as
small a
group as possible (i.e., on a need-to-know basis).
3. Any limited disclosure of vulnerabilities is shortly followed by a
broader, more public disclosure.
I see the disclosure of vulnerabilities as similar to the disclosure
of your
password. Publicly disclosing or sharing your password before you
can change
it is unwise.
Failure to publicly disclose a vulnerability (or your password) is
not an
example of "security through obscurity"; it's simply prudent to
protect that
information.
Vulnerabilities that are under investigation must be kept under wraps.
Keeping them under wraps is not intended to deceive anyone or to
deprive
anyone of critical information. It is a necessary step until the
problem can
be resolved, just as maintaining the confidentiality of your
password is
necessary.
Limited disclosure of security bulletins is also an important step
towards
the public disclosure. It does not replace the public disclosure.
Limited disclosure ensures all products -- not just LL products --
have an
opportunity to address the vulnerability before it's widely known.
Ideally any limited disclosure would only occur once LL was capable of
identifying anyone attempting to use the vulnerability.
If there ever was a truly exceptional case where a vulnerability was
so
severe that it needed to be publicly disclosed before it was
corrected, then
the system should be shut down until the issue was resolved.
I have always taken security and vulnerabilities very seriously. I
would
love to know about them in advance, but I recognize and accept that
it's not
appropriate for me to know about them in advance. I *want* to know
about
them, I don't *need* to know about them.
Sheet Spotter
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
[email protected]
Sent: December 26, 2008 11:02 AM
To: Boy Lane
Cc: [email protected]
Subject: Re: [sldev] Viewer security vulnerability disclosure group
[...]
"telling everybody about a security vulnerability before remediation
is
available is bad."
So who decides who is "good" or "bad" to receive or
not to receive security
bulletins? [...]
I think the only way to properly handle security issues
detected is to make everybody aware of them. [...]
Merry Xmas!
Boy
_______________________________________________
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/SLDev
Please read the policies before posting to keep unmoderated posting
privileges
_______________________________________________
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/SLDev
Please read the policies before posting to keep unmoderated posting privileges
