Vulnerability disclosure is a method of publishing information about a problem, often related to computer security which if gone unreported can result in serious consequences. One of the contentions involving disclosure is often up to what amount of information need to be disclosed. Too little information might result in the disclosure being brushed off, and too much disclosure gives people willing to exploit the vulnerability a head start in causing some serious damage with it.
Vulnerability Arbitration(Vulnarb.com) is a neat concept by Zed Shaw which aims in helping security researches, consumers, and the affected companies deal with security vulnerabilities in a timely and a responsible manner.
- Security researchers to disclose the vulnerabilities that they found in a responsible way
- Consumers get to know which products are affected, but not know what the vulnerability is
- Incentive for companies to fix security holes
The concept with Vulnarb is to use a site’s public SSL certificate and a generated random key to encrypt the vulnerability disclosure. The affected company can then use their private SSL certificate to decrypt the encrypted message and act upon it. Once the vulnerability has been fixed, the company can then publish the decrypted disclosure indicating that it has been fixed or indicate that the disclosure is incorrect.
For the time being, Zed has indicated this is a concept and has invited people to test it out and see if it can work. Indeed, this looks like a great idea. Do feel free to head over to Vulnarb, check it out and drop in a comment or two about this.