[sldev] Viewer security vulnerability disclosure group

[Marine Kelley]

Hi Rob and everyone,

Thank you for doing this effort for us, here are my personal thoughts  
on the subject :

- Creating an early disclosure list is not only a good idea, it's  
vital for a project of this size and popularity. Some viewers are  
immensely popular and the users expect their tool of choice to be up  
to date with the latest security fixes. When a fix is deployed, you  
can be sure that the official maintainers and publishers of each  
viewer, and not only the creators, get swarmed with alerts, requests  
and even demands from the users. So they have to be ready for when the  
information is revealed.

- We can't rely on security through obfuscation. Therefore, not  
alerting the end users when a flaw is discovered only gives an  
advantage to the people who are already exploiting it, and in most  
cases it is a matter of hours between the discovery and the massive  
exploit.

- I think you can expect only premium accounts to sign a non  
disclosure agreement (to have grounds for a liability in case of a  
disclosure) but this is not too much of a problem : publishing a  
viewer and making it successful requires a lot of trust from the  
users, because they are putting their data and money in the hands of  
someone they don't know. This trust either comes from a good and  
widespread reputation (in my case) or an already settled partnership  
with Linden Lab (in Nicholaz' case for example). The former wouldn't  
really work for NPIs because people do not naturally trust them, the  
latter... well LL's trust would be somewhat already granted anyway.  
However if some of the well known viewer maintainers are on basic  
accounts, my apologies. This is merely my point of view and I have no  
statistics to back it up.

Merry Xmas to you all

Marine


On 24 déc. 08, at 01:37, Rob Lanphier <robla at lindenlab.com> wrote:

> Hi folks,
>
> When we had the vulnerability in the Second Life viewer back in  
> October,
> we didn't have a great setup for communicating discreetly with people
> who are working on derived works to give them a warning that they'll
> need to publish an update to keep their users safe.
>
> Since the viewer is totally secure now, I suppose this isn't a  
> problem,
> no?  Hrmph, ok, I guess we should be a little more prepared next time.
>
> I did some fishing around for how other folks handle this.  Here's  
> info
> on Mozilla's Security Group, which seems most analogous.
> http://www.mozilla.org/projects/security/membership-policy.html
>
> And here's the  "Announcing Security Vulnerabilities" section from  
> Karl
> Fogel's book "Producing Open Source Software":
> http://producingoss.com/en/publicity.html#security
>
> Here's what I'd like from you all:
> 1.  A discussion about what group of people it's going to be  
> acceptable
> to provide early access to vulnerability information.  For example, is
> it reasonable for us to require non-disclosure agreements of  
> everyone in
> the group?  I suspect that we'll need to take this step, but if  
> there's
> a really good reason that I'm not thinking of why we shouldn't do  
> this,
> I'd like to hear it.
> 2.  If you're interested in being in this group, send me an email
> indicating your interest, and why you feel you should be in this  
> group.
>
> With any luck, we'll have a group in place before we need have a
> vulnerability to disclose.
>
> Rob
>
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/SLDev
> Please read the policies before posting to keep unmoderated posting  
> privileges