As the saying goes, ???You can??™t make everyone happy all of the time.??? A group of concerned
individuals came together to help make the vulnerability discovery process more
structured and reliable. While some question their real allegiance, since the group is made
up mostly of vendors, it is probably more of a case of, ???A good deed never goes unpunished.???
The security community is always suspicious of others??™ motives??”that is what
makes them the ???security community,??? and it is also why continual debates surround
these issues.
Discovery
The OIS process begins when someone finds a flaw in the software. It can be discovered
by a variety of individuals, such as researchers, consumers, engineers, developers, gray
hats, or even casual users. The OIS calls this person or group the finder. Once the flaw is
discovered, the finder is expected to carry out the following due diligence:
1. Discover if the flaw has already been reported in the past.
2. Look for patches or service packs and determine if they correct the problem.
3. Determine if the flaw affects the default configuration of the product.
4. Ensure that the flaw can be reproduced consistently.
After the finder completes this ???sanity check??? and is sure that the flaw exists, the issue
should be reported.
Pages:
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173