OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RFPolicy for vulnerability disclosure
From: rain forest puppy (rfpWIRETRIP.NET)
Date: Mon Jun 12 2000 - 18:51:26 CDT


I'm not sure if anyone would be interested, but I thought I would give it
a whirl anyway just in case....

I just posted what I've dubbed as 'RFPolicy'. RFPolicy is an inititive to
help establish concrete guidelines for disclosure of security problems.
This was prompted due to many recent responses from vendors such as "we
were never given a chance", or "there is an 'unwritten' standard of
notifying the vendor X days ahead of time", etc.

My intent is not to push this policy onto the community. Everyone can
obviously do whatever they feel like. But *I* will be using this
disclosure policy in all future security disclosures, and I encourage
anyone wishing to use or modify it, to do so.

Feedback on the policy is also welcome. It can be found at:

http://www.wiretrip.net/rfp/policy.html

Thanks,
- rain forest puppy