Full disclosure

From Citizendium
Jump to navigation Jump to search
This article may be deleted soon.
To oppose or discuss a nomination, please go to CZ:Proposed for deletion and follow the instructions.

For the monthly nomination lists, see
Category:Articles for deletion.


This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

Full disclosure is a computer security vulnerability policy. There has been much debate about full disclosure and responsible disclosure. Disclosure policy is generally a matter of preference as no formalized or accepted guidelines exist. Full disclosure is the policy of releasing computer security vulnerability details (and associated exploit code) to the internet without first informing the vendor and allowing them to fix the issue. Such unfixed bugs are known as 0-day (pronounced "zero day" or "oh day"), since they can be used against systems without hope that users could patch. The so called "0-day threat" refers to the ability of systems to respond to undisclosed or previously unknown vulnerabilities.

Full disclosure also refers to an unmoderated mailing list operated by http://grok.org.uk. The list charter states any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information." The mailing list serves as an outlet for vulnerability disclosures.

RFPolicy is one of the most commonly cited and influential disclosure policies. It outlines a method of communication with vendors to work towards a resolution of a security vulnerability. The policy includes the implicit threat that uncooperative vendors will risk full disclosure.

Microsoft has responded to the full disclosure debate by describing a process of coordinated disclosure, as opposed to the older concept of so-called "responsible disclosure." Coordinated disclosure defines a process for working alongside a vendor to fix issues while still disclosing.