Full disclosure: Difference between revisions
imported>Justin C. Klein Keane (Initial stub) |
imported>Hayford Peirce (put Bold on the lede words as per CZ convention) |
||
Line 1: | Line 1: | ||
{{subpages}} | {{subpages}} | ||
<!-- Please ignore (but don't delete) any formatting that you are not familiar with. Others will probably chime in to help you set things up. --> | <!-- Please ignore (but don't delete) any formatting that you are not familiar with. Others will probably chime in to help you set things up. --> | ||
Full disclosure is a computer security vulnerability policy. There has been much debate about full disclosure and responsible disclosure. Disclosure policy is generally a matter of preference as no formalized or accepted guidelines exist. Full disclosure is the policy of releasing computer security vulnerability details (and associated exploit code) to the internet without first informing the vendor and allowing them to fix the issue. Such unfixed bugs are known as 0-day (pronounced "zero day" or "oh day"), since they can be used against systems without hope that users could patch. The so called "0-day threat" refers to the ability of systems to respond to undisclosed or previously unknown vulnerabilities. | |||
'''Full disclosure''' is a computer security vulnerability policy. There has been much debate about full disclosure and responsible disclosure. Disclosure policy is generally a matter of preference as no formalized or accepted guidelines exist. Full disclosure is the policy of releasing computer security vulnerability details (and associated exploit code) to the internet without first informing the vendor and allowing them to fix the issue. Such unfixed bugs are known as 0-day (pronounced "zero day" or "oh day"), since they can be used against systems without hope that users could patch. The so called "0-day threat" refers to the ability of systems to respond to undisclosed or previously unknown vulnerabilities. | |||
Full disclosure also refers to an unmoderated mailing list operated by http://grok.org.uk. The list [http://lists.grok.org.uk/full-disclosure-charter.html| charter] states any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information." The mailing list serves as an outlet for vulnerability disclosures. | Full disclosure also refers to an unmoderated mailing list operated by http://grok.org.uk. The list [http://lists.grok.org.uk/full-disclosure-charter.html| charter] states any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information." The mailing list serves as an outlet for vulnerability disclosures. |
Revision as of 16:02, 21 July 2010
Full disclosure is a computer security vulnerability policy. There has been much debate about full disclosure and responsible disclosure. Disclosure policy is generally a matter of preference as no formalized or accepted guidelines exist. Full disclosure is the policy of releasing computer security vulnerability details (and associated exploit code) to the internet without first informing the vendor and allowing them to fix the issue. Such unfixed bugs are known as 0-day (pronounced "zero day" or "oh day"), since they can be used against systems without hope that users could patch. The so called "0-day threat" refers to the ability of systems to respond to undisclosed or previously unknown vulnerabilities.
Full disclosure also refers to an unmoderated mailing list operated by http://grok.org.uk. The list charter states any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information." The mailing list serves as an outlet for vulnerability disclosures.
Start your new article by replacing these lines! If it is your first one, you may have a look at CZ:Quick Start, and if you cannot find it, just press the "Save page" button below this edit window — it will then be linked from here.
RFPolicy is one of the most commonly cited and influential disclosure policies. It outlines a method of communication with vendors to work towards a resolution of a security vulnerability. The policy includes the implicit threat that uncooperative vendors will risk full disclosure.