Vulnerability Arbitration – Neat Idea For Responsible Vulnerability Disclosure
By on April 3rd, 2011

Vulnerability disclosure is a method of publishing information about a problem, often related to computer security which if gone unreported can result in serious consequences. One of the contentions involving disclosure is often up to what amount of information need to be disclosed. Too little information might result in the disclosure being brushed off, and too much disclosure gives people willing to exploit the vulnerability a head start in causing some serious damage with it.

Vulnerability Arbitration(Vulnarb.com) is a neat concept by Zed Shaw which aims in helping security researches, consumers, and the affected companies deal with security vulnerabilities in a timely and a responsible manner.

Vulnarb helps

  • Security researchers to disclose the vulnerabilities that they found in a responsible way
  • Consumers get to know which products are affected, but not know what the vulnerability is
  • Incentive for companies to fix security holes

The concept with Vulnarb is to use a site’s public SSL certificate and a generated  random key to encrypt the vulnerability disclosure. The affected company can then use their private SSL certificate to decrypt the encrypted message and act upon it. Once the vulnerability has been fixed, the company can then publish the decrypted disclosure indicating that it has been fixed or indicate that the disclosure is incorrect.

For the time being, Zed has indicated this is a concept and has invited people to test it out and see if it can work. Indeed, this looks like a great idea. Do feel free to head over to Vulnarb, check it out and drop in a comment or two about this.

Tags: ,
Author: Sathya Bhat Google Profile for Sathya Bhat
Sathyajith aka "Sathya" or "cpg" loves working on computers, and actively participates in many online communities. Sathya is a Community Moderator on Super User, a collaboratively maintained Q&A site which is part of the Stack Exchange network. Sathya also contributes to and is a Super Moderator at Chip India Forums. While not writing SQL queries or coding in PL/SQL, Sathya is also a gamer, a Linux enthusiast, and maintains a blog on Linux & OpenSource. You can reach Sathya on twitter.

Sathya Bhat has written and can be contacted at sathya@techie-buzz.com.
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN