|
|
from time to time, while discussing security
exposures, we debate
how/when they should be reported. I would suggest
we follow the
CERT policy, which recently changed.
--6 October 2000 CERT Vulnerability
Disclosure Policy Changes
> CERT has announced that it will disclose vulnerabilities 45 days from > the date of initial report, regardless of whether or not the vendors > have offered fixes; certain cases may merit departure from the time- > table. CERT says its aim is to balance the public's need to know with > the vendor's need for time to fix problems. > Direct link to the CERT policy: > http://www.cert.org/faq/vuldisclosurepolicy.html BTW - reporting means proper reporting thru Support
Line or some
other official IBM channel, not to this
forum!
I have not had any contact with anyone at IBM about
this. Their
current policy is the proper reporting. Some within
this group would
prefer to post first-let the people know. This
seems a logical solution.
jim
|
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
