RainForest Puppy is a well-known hacker who has uncovered an amazing number of
vulnerabilities in different products. He has a long history of successfully, and at times
unsuccessfully, working with vendors on helping them develop fixes for the problems
he has uncovered. The disclosure guidelines that he developed came from his years of
experience in this type of work, and his level of frustration at the vendors not working
with individuals like himself once bugs were uncovered.
The key to these disclosure policies is that they are just guidelines and suggestions on
how vendors and bug finders should work together. They are not mandated and cannot be
enforced. Since the RFP policy takes a strict stance on dealing with vendors on these issues,
many vendors have chosen not to work under this policy. So another set of guidelines was
developed by a different group of people, which includes a long list of software vendors.
Organization for Internet Safety (OIS)
There are three basic types of vulnerability disclosures: full disclosure, partial disclosure,
and nondisclosure. There are advocates for each type, and long lists of pros and cons that
can be debated for each. CERT and RFP take a rigid approach to disclosure practices.
Pages:
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170