[sldev] Viewer security vulnerability disclosure group

Rob Lanphier robla at lindenlab.com
Fri Dec 26 10:09:16 PST 2008


Hi everyone,

Great discussion!  I think it's worth clarifying the range of options
we're considering, and to state explicitly what options are not on the
table.

First the non-options.  The following options are really not viable, and
aren't on the table, but have been discussed in this thread, so they're
worth pointing out as non-options:

Non-option A:  disclose vulnerabilities to everyone as soon as we're
aware of them.  As Infinity points out, this is reckless, and should
only be done in the event that there's evidence a vulnerability is
already being widely exploited, and even then, the nature of the
disclosure should be to provide enough information that people can keep
themselves safe, rather than all of the information to try the exploit
themselves.

Non-option B:  early disclosure group that gets notice of
vulnerabilities weeks or months before the general public.  Our
intention is to give a slight headstart for viewer distributors, not to
delay general disclosure for longer than necessary.

Now, here's what we're considering.

Option 1:  Linden Lab creates a vulnerability early disclosure group,
admitting people into the group based on their need to know and track
record of reliability, honesty and discretion.  "Need to know" is
limited to people or organizations that distribute viewers used by a
wide audience, or some other very compelling reason to know.  This group
would get notice of some details regarding a vulnerability when Linden
Lab becomes aware of a problem, and receive the patch early when Linden
Lab has an untested fix that's ready for incorporation.   The time
between early disclosure (when this group knows about a problem) and
general disclosure (when the general public knows about the problem)
would likely be a period best measured in days, not weeks or months.

Option 2:  similar to option #1, with the addition of an explicit,
signed non-disclosure agreement as a prerequisite for joining the group.

Option 3:  Linden Lab only discloses vulnerabilities when a patch a fix
is available (no early disclosure group).

In evaluating the three options above, I'd like folks to think it
through both ways.  What sort of requirements would you want placed on
yourself for joining, and what sort of requirement would you want placed
on others.  In particular, option #3 may be what you should recommend if
you don't trust that Linden Lab can select an early disclosure group in
a way that exploit information won't fall into the wrong hands prior to
a fix being available.  Similarly, you may prefer option #2 if you want
to make sure that everyone in the group is explicitly subject to legal
remedy for irresponsible disclosure.

Rob



More information about the SLDev mailing list