[sldev] Viewer security vulnerability disclosure group

[ordinal.malaprop at fastmail.fm]

Vulnerabilities are not like passwords. Passwords cannot be discovered  
by experimentation and analysis (well, not if they are good  
passwords). Passwords provide no risk unless actively disclosed.

Vulnerabilities _do_ constitute an active risk regardless of whether  
they are disclosed or not, as people looking for them can (and will)  
find them eventually, and once they have, the details will spread  
explosively. Exposing them before they are fixed at least gives users  
the chance to defend themselves before this happens, even if that  
means closing down systems.

If there is a vulnerability in SL which was not already widely known -  
and how can one tell? - and which LL knew that they could fix quite  
shortly, then it would be best to err towards keeping it quiet until  
it was fixed. If there is not progress on fixing a vulnerability then  
it needs to be publicised so that people can account for it.

On 26 Dec 2008, at 19:08, Sheet Spotter wrote:

> I made a few assumptions that may not be shared by everyone:
> 1. Vulnerabilities must not be publicly disclosed before they are  
> corrected.
>
> 2. Vulnerabilities must be promptly assessed and mitigated by as  
> small a
> group as possible (i.e., on a need-to-know basis).
> 3. Any limited disclosure of vulnerabilities is shortly followed by a
> broader, more public disclosure.
>
> I see the disclosure of vulnerabilities as similar to the disclosure  
> of your
> password. Publicly disclosing or sharing your password before you  
> can change
> it is unwise.
>
> Failure to publicly disclose a vulnerability (or your password) is  
> not an
> example of "security through obscurity"; it's simply prudent to  
> protect that
> information.
>
> Vulnerabilities that are under investigation must be kept under wraps.
> Keeping them under wraps is not intended to deceive anyone or to  
> deprive
> anyone of critical information. It is a necessary step until the  
> problem can
> be resolved, just as maintaining the confidentiality of your  
> password is
> necessary.
>
> Limited disclosure of security bulletins is also an important step  
> towards
> the public disclosure. It does not replace the public disclosure.
>
> Limited disclosure ensures all products -- not just LL products --  
> have an
> opportunity to address the vulnerability before it's widely known.
>
> Ideally any limited disclosure would only occur once LL was capable of
> identifying anyone attempting to use the vulnerability.
>
> If there ever was a truly exceptional case where a vulnerability was  
> so
> severe that it needed to be publicly disclosed before it was  
> corrected, then
> the system should be shut down until the issue was resolved.
>
> I have always taken security and vulnerabilities very seriously. I  
> would
> love to know about them in advance, but I recognize and accept that  
> it's not
> appropriate for me to know about them in advance. I *want* to know  
> about
> them, I don't *need* to know about them.
>
>
> Sheet Spotter
>
> -----Original Message-----
> From: sldev-bounces at lists.secondlife.com
> [mailto:sldev-bounces at lists.secondlife.com] On Behalf Of
> infinity at lindenlab.com
> Sent: December 26, 2008 11:02 AM
> To: Boy Lane
> Cc: sldev at lists.secondlife.com
> Subject: Re: [sldev] Viewer security vulnerability disclosure group
>
> [...]
>
> "telling everybody about a security vulnerability before remediation  
> is
> available is bad."
>
>> So who decides who is "good" or "bad" to receive or
>> not to receive security
>> bulletins? [...]
>>
>> I think the only way to properly handle security issues
>> detected is to make everybody aware of them. [...]
>>
>> Merry Xmas!
>>
>> Boy
>>
>
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/SLDev
> Please read the policies before posting to keep unmoderated posting  
> privileges