[OWASP-LEADERS] Publishing policy

Ingo Struck ingo at ingostruck.de
Fri Nov 15 10:49:10 EST 2002

Hash: SHA1

Hi folks,

I just thought of another issue while playing with the vulnxml db:
What about a publishing policy?
Most people seem to agree about giving the authors a grace period
to publish fixes against a vulnerability before publishing the details
of the attack. Maybe we should integrate a mechanism to ensure this
into the vulnxml db? My idea would be a whitelist of users (those who
are responsible and interested in fixing their bugs) who have a pre-publishing
access to the full-fledged attack record while others will only get the test
description within the first 10 days (for example).
The workflow would look like:

1. CM proposes a test
2. ED / OA approve(s) the test
3. ED / OA contact(s) the responsible dev team with
   a) a deadline for response with the agreement to fix the bug
   b) a deadline for publishing the test in full length
   (My proposal would be 2 / 14 biz days)
4a. dev team demands an account / uses existing account
      to gain premature access to the test description
4b. no response - test will be published 2 days later
5a. dev team publishes fix / releases the test
5b. deadline expires - test published by OWASP.

Any thoughts or better ideas?

Kind regards


- -- 
ingo at ingostruck.de
Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint
C700 9951 E759 1594 0807  5BBF 8508 AF92 19AA 3D24
Version: GnuPG v1.2.0 (GNU/Linux)


More information about the OWASP-Leaders mailing list