[OWASP-LEADERS] Publishing policy

Mark Curphey mark at curphey.com
Fri Nov 15 13:11:56 EST 2002


I think we had this figured out in the Community process document I have
been developing. Its basically a document outlining how we will run the
VulnXML database. 

I will work on it some more this weekend after my call with Jennifer
this afternoon to discuss getting the project management in place and
circulate early next week !


On Fri, 2002-11-15 at 07:49, Ingo Struck wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi folks,
> 
> I just thought of another issue while playing with the vulnxml db:
> What about a publishing policy?
> Most people seem to agree about giving the authors a grace period
> to publish fixes against a vulnerability before publishing the details
> of the attack. Maybe we should integrate a mechanism to ensure this
> into the vulnxml db? My idea would be a whitelist of users (those who
> are responsible and interested in fixing their bugs) who have a pre-publishing
> access to the full-fledged attack record while others will only get the test
> description within the first 10 days (for example).
> The workflow would look like:
> 
> 1. CM proposes a test
> 2. ED / OA approve(s) the test
> 3. ED / OA contact(s) the responsible dev team with
>    a) a deadline for response with the agreement to fix the bug
>    b) a deadline for publishing the test in full length
>    (My proposal would be 2 / 14 biz days)
> 4a. dev team demands an account / uses existing account
>       to gain premature access to the test description
> 4b. no response - test will be published 2 days later
> 5a. dev team publishes fix / releases the test
> 5b. deadline expires - test published by OWASP.
> 
> Any thoughts or better ideas?
> 
> Kind regards
> 
> Ingo
> 
> - -- 
> ingo at ingostruck.de
> Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint
> C700 9951 E759 1594 0807  5BBF 8508 AF92 19AA 3D24
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.0 (GNU/Linux)
> 
> iD8DBQE91Rd/hQivkhmqPSQRAjubAJ0bEqFS8h7sbMK6NkC5jcZQF8uT4QCfcPSw
> iTPLSycirgwzA+tL9yB1xXU=
> =sDtg
> -----END PGP SIGNATURE-----
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: To learn the basics of securing 
> your web site with SSL, click here to get a FREE TRIAL of a Thawte 
> Server Certificate: http://www.gothawte.com/rd524.html
> _______________________________________________
> Owasp-leaders mailing list
> Owasp-leaders at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
> 






More information about the OWASP-Leaders mailing list