??? As the problem and fix are released to the public, the vendor is expected to credit
the originator for identifying the problem. This is considered a professional
gesture to the individual or company for voluntarily exposing the problem. If this
good faith effort is not executed, there will be little motivation for the originator
to follow these guidelines in the future.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
54
??? The maintainer and the originator should make disclosure statements in
conjunction with each other so that all communication will be free from
conflict or disagreement. Both sides are expected to work together throughout
the process.
??? In the event that a third party announces the vulnerability, the originator and
maintainer are encouraged to discuss the situation and come to an agreement
on a resolution. The resolution could include the originator disclosing the
vulnerability, or the maintainer disclosing the information and available fixes
while also crediting the originator. The full disclosure policy also recommends
that all details of the vulnerability be released if a third party releases the
information first. Because the vulnerability is already known, it is the
responsibility of the vendor to provide specific details, such as the diagnosis,
the solution, and the timeframe.
Pages:
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169