Disclose or Hide or Responsibly Disclose?
Comments(0) This with reference to two security news item that i came across more or less at the same time frame.
1. Cisco, ISS file suit against rogue researcher
| Quote: |
| “We don’t want them to further discuss it,” said Cisco spokesman John Noh. “This is about protecting our intellectual property.” ISS’s spokesperson confirmed the company was also listed as a plaintiff on the court document. |
| Quote: |
| “I feel I had to do what’s right for the country and the national infrastructure,” independant security researcher Michael Lynn said. “It has been confirmed that bad people are working on this (compromising IOS). The right thing to do here is to make sure that everyone knows that it’s vulnerable.” |
2. ZERO DAY INITIATIVE - by 3COM & Tipping Point
| Quote: |
| The Zero Day Initiative (ZDI), founded by 3Com and TippingPoint, a division of 3Com, represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. The program’s goal is threefold:
1. reward independent security research |
If you :
DISCLOSE about a vulnerability, even before a fix is available, then we knowingly expose all our networks to attacks .
HIDE about a vulnerability from the general public we are putting them at great risk to surprise attacks.
RESPONSIBLY DISCLOSE (confidentially) about a vulnerability first to the vendor , give them a time-frame to fix the vulnerability beyond which it is disclosed to the world.
So what do you think is the right action - Disclose or Hide or Responsibly Disclose or 
–
regards
AJ
SecureCentral™ ScanFi - Vulnerability Assessment Scanner
