| Main Archive Page > Month Archives > websecurity archives |
Re: [WEB SECURITY] Website Vulnerability Disclosure Stances
From: Andy Steingruebl <steingra_at_nospam>Date: Thu Oct 04 2007 - 04:03:15 GMT
To: "robert@webappsec.org" <robert@webappsec.org>
On 10/3/07, robert@webappsec.org <robert@webappsec.org> wrote:
> Hello,
>
> We're all aware of policies such as R.F.P.'s and how companies address product related issues however
> I rarely see people speaking about website vuln disclosure stances. Do most companies provide
> public acknowledgement to vulns in their websites and provide 'credit' to those working with them?
> Do they provide acknowledgement to an issue with no details or support a formal advisory
> released by the vuln finder?
I wrote up two related pieces on exactly this topic.
http://securityretentive.blogspot.com/2007/09/why-dont-financial-institutions-have.html http://securityretentive.blogspot.com/2007/07/security-reporting-policies-that.html
Looks like a lot of major brands don't have disclosure polices or pages at all. Two notable exceptions at this point are Google and Microsoft.
Microsoft devotes a lot of pages to the topic of the MSRC, web disclosure, etc. The even have a site up with credits:
http://www.microsoft.com/technet/security/acknowledge/default.mspx
Google does something slightly related on this page:
http://www.google.com/corporate/security.html
One item missing from both of their pages is an explicit discussion of the liability issues surrounding disclosure. -- Andy Steingruebl steingra@gmail.com ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]