[sldev] Viewer security vulnerability disclosure group

Alissa Sabre alissa_sabre at yahoo.co.jp
Mon Dec 29 04:31:43 PST 2008

Previous message: [sldev] Viewer security vulnerability disclosure group
Next message: [sldev] Viewer security vulnerability disclosure group
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rob,

> Great discussion!

This issue continued more than five messages.  This issue seems non
technical.  Why didn't you stop the dicussion?

Well, I believe this issue is important for many of SLDev subscribers
and is worth discussing on the list, so I have no objection to see the
discussion continues.  However, Rob, you *are* the guardian of the
list, and you should not ignore your rule.

... Anyway,

> Option 1:  Linden Lab creates a vulnerability early disclosure group,
> admitting people into the group based on their need to know and track
> record of reliability, honesty and discretion.  "Need to know" is
> limited to people or organizations that distribute viewers used by a
> wide audience, or some other very compelling reason to know.  This group
> would get notice of some details regarding a vulnerability when Linden
> Lab becomes aware of a problem, and receive the patch early when Linden
> Lab has an untested fix that's ready for incorporation.   The time
> between early disclosure (when this group knows about a problem) and
> general disclosure (when the general public knows about the problem)
> would likely be a period best measured in days, not weeks or months.
> 
> Option 2:  similar to option #1, with the addition of an explicit,
> signed non-disclosure agreement as a prerequisite for joining the group.

I prefer option 2 *minus* a particular phrase "used by a wide
audience" in the sentense "Need to konw is limited to people or
organizations that distribute viewers used by a wide audience, or some
other very compelling reason to know." in the explanation of option 1.

I believe "used by a wide audience" is not a good cirteria.  I believe
the first priority objective of the early disclosure is to protect SL
residents who are using a third party viewer.  Disclosing
vulnerability information only to developpers of a viewer with
_a_wide_audience_ means that viewer developpers without a wide
audience will not receive the vulnerability info timely.  The
consequence of this policy is that users of a viewer with a wide
audience get timely security fix, and those of a viewer without a wide
audience doesn't.  If it is the case, who would choose a viewer
without a wide audience?  As a result, a policy to disclose to viewer
developers that already have a wide audience will effectively kills
new third party distribution in a future, because nobody can get a
wide audience from the beginning.

On the other hand, I believe the early disclosure should be to as
small group as possible.  I also believe the people who receive
vulnerability info earlier than ordinary residents should be limited
to trustworthy ones.  I support the idea to mandate an NDA, so that we
can limit the number of people as well as we can limit to responsible
people.

    Alissa Sabre
--------------------------------------
Power up the Internet with Yahoo! Toolbar.
http://pr.mail.yahoo.co.jp/toolbar/

Previous message: [sldev] Viewer security vulnerability disclosure group
Next message: [sldev] Viewer security vulnerability disclosure group
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SLDev mailing list