Talk:Coordinated vulnerability disclosure

This article is rated Stub-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computer Security: Computing High‑importance This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. High This article has been rated as High-importance on the project's importance scale. This article is supported by WikiProject Computing. Things you can help WikiProject Computer Security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here.

Citations / Supporters / Alternatives

Latest comment: 3 years ago1 comment1 person in discussion

Other entries on this page have noted many valid criticisms of this "term". At the very least (if this article is even worth retaining under its current name) there must be some citations explaining where this specific NPOV value-laden term comes from... what "authorities" argue that it is a good term-of-art that anyone should be using rather than just some informal value judgement. The term "Responsible" is especially obnoxious when it is used in list form as it is on the info box on this page: https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach where non-technical readers are sure to read it as an implication that any procedures for disclosure that don't go by this specific name must NOT be 'responsible'. Someone below already mentioned more precise terms such as: https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)#Coordinated_vulnerability_disclosure which goes on to say:

• The original name for this approach was “responsible disclosure”, based on the essay by Microsoft Security Manager Scott Culp “It's Time to End Information Anarchy” (referring to full disclosure). Microsoft later called for the term to be phased out in favour of “Coordinated Vulnerability Disclosure” (CVD).

DKEdwards (talk) 22:53, 20 February 2021 (UTC)Reply

full disclosure

full disclosure & responsible disclosure are two separate entities. Full disclosure is often, unfortunately, required in order to motivate some vendors in order to address vulnerabilities, but responsible disclosure should be the first step in getting a security issue fixed.

Give the vendors, your families, friends, and sysadmins a fighting chance. —Preceding unsigned comment added by 70.33.155.79 (talk • contribs) 13:29, 15 September 2006

ridicule

Latest comment: 9 years ago2 comments2 people in discussion

"(Undid revision 442197272 by 87.183.189.3 (talk) rv non-NPOV loaded language) (undo)"

The term (lemma) "Responsible disclosure" is itself non-NPOV loaded. It contains value judgement ("responsible") and it does not - as is claimed in the first sentence of the article - "describe" a "model" of disclosure.

Actually rs stands for hiding vulnerabilities by not disclosuring them to the public. The Term rs is an modern example of newspeak.

--91.9.97.201 (talk) 15:51, 3 October 2011 (UTC)Reply

I've removed the strikethrough formatting on one of the examples - there's no reason for this given in the main article. Can someone with more knowledge in the area determine whether this is either a) a valid example, b) invalid (in which case it should be removed), or c) add some explanation for the formatting? Tiredgrad (talk) 07:03, 6 August 2014 (UTC)Reply

reference to idefence and other

Latest comment: 6 years ago1 comment1 person in discussion

"Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and TippingPoint, with their zero-day initiative (ZDI) started in 2005."

I was wondering what the significance of including these companies is in regards to information on Responsible Disclosure. While they're "big players", the term responsible disclosure is more a general term for how a vulnerability is disclosed and citing companies seems to be a little out of place. Correct me if I'm misguided, would love to know more about this topic.

Judge (talk) 02:49, 14 January 2018 (UTC)Reply

Misses the heart of the matter

Latest comment: 1 year ago2 comments2 people in discussion

This article is problematic and provides no cogent summary of the core ethical conflict around responsible disclosure. Everyone is willing to promote their own idea of what this term means, and they do with very different agendas and end-states in mind. Do be decent it must cover all of the core conudrums. First, there are those who feel early and open disclosure IS "responsible". There are vendors who believe that no disclosure ever is the only "responsible" thing. And then there are the historical efforts to strike a balance. The second controversy which is at least discussed is the paid vs unpaid reporting and the bounty vs extortion controversy.

This is a critically important issue on the Internet and I would really appreciate it if one of the cybersecurity editors would make time for this. I would do it myself, but because I am not involved in several disclosure processes, I feel that I would have an inappropriate bias. However, this current article is so poorly that if it does not improve in the next few months, I will take a stab at it, biases and all. Ftrotter (talk)

Indeed - this article has the wrong name (the modern, less confusing term is Coordinated Vulnerability Disclosure), the wrong focus, and is way out-of-date. I've started building on and updating the relevant material at Full_disclosure_(computer_security) and will come back to this when I get a chance. ★NealMcB★ (talk) 01:39, 19 October 2019 (UTC)Reply

I am not an expert on the field, neither. But I feel that both this article and the section in Full disclosure (computer security)#Coordinated vulnerability disclosure miss the really central point. Free software communities often tell you how to do coordinated disclosure, with the reasoning that “full disclosure” gives attackers an advantage—they could immediately exploit the vulnerability, while the software vendor always needs a certain amount of time to distribute patches. So this seems to me to be the most important point in this matter. To be exact: this article does not mention this point at all, while Full disclosure (computer security) mentions it only in the “wrong” section: Full disclosure (computer security)#Arguments against coordinated disclosure. ...sorry for being so negative here. --91.96.31.164 (talk) 19:46, 20 June 2022 (UTC)Reply

Unlawful Use Of Wikipedia

Latest comment: 6 months ago1 comment1 person in discussion

This is remake recopy of encyclopedia knowledge in book and so many disadvantage much wrong information just another place's to hide unlawful information get money for book that been around for generation User of Encyclopedia Changes need to be made and made use in school Library Encyclopedia — Preceding unsigned comment added by 107.122.177.72 (talk) 19:46, 26 October 2023 (UTC)Reply