[sldev] Viewer security vulnerability disclosure group

[Sheet Spotter]

I made a few assumptions that may not be shared by everyone:
1. Vulnerabilities must not be publicly disclosed before they are corrected.

2. Vulnerabilities must be promptly assessed and mitigated by as small a
group as possible (i.e., on a need-to-know basis).
3. Any limited disclosure of vulnerabilities is shortly followed by a
broader, more public disclosure.

I see the disclosure of vulnerabilities as similar to the disclosure of your
password. Publicly disclosing or sharing your password before you can change
it is unwise. 

Failure to publicly disclose a vulnerability (or your password) is not an
example of "security through obscurity"; it's simply prudent to protect that
information.

Vulnerabilities that are under investigation must be kept under wraps.
Keeping them under wraps is not intended to deceive anyone or to deprive
anyone of critical information. It is a necessary step until the problem can
be resolved, just as maintaining the confidentiality of your password is
necessary.

Limited disclosure of security bulletins is also an important step towards
the public disclosure. It does not replace the public disclosure.

Limited disclosure ensures all products -- not just LL products -- have an
opportunity to address the vulnerability before it's widely known.

Ideally any limited disclosure would only occur once LL was capable of
identifying anyone attempting to use the vulnerability.

If there ever was a truly exceptional case where a vulnerability was so
severe that it needed to be publicly disclosed before it was corrected, then
the system should be shut down until the issue was resolved.

I have always taken security and vulnerabilities very seriously. I would
love to know about them in advance, but I recognize and accept that it's not
appropriate for me to know about them in advance. I *want* to know about
them, I don't *need* to know about them.


Sheet Spotter

-----Original Message-----
From: sldev-bounces at lists.secondlife.com
[mailto:sldev-bounces at lists.secondlife.com] On Behalf Of
infinity at lindenlab.com
Sent: December 26, 2008 11:02 AM
To: Boy Lane
Cc: sldev at lists.secondlife.com
Subject: Re: [sldev] Viewer security vulnerability disclosure group

[...]

"telling everybody about a security vulnerability before remediation is
available is bad."

> So who decides who is "good" or "bad" to receive or
> not to receive security
> bulletins? [...]
>
> I think the only way to properly handle security issues
> detected is to make everybody aware of them. [...]
>
> Merry Xmas!
>
> Boy
>