Jump to content

Talk:Full disclosure (computer security)

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

This entry is nominally correct, but it hardly takes into account both sides of the story. Life is much more complex than the simplistic binary choice which is presented in this entry (basically the two choices are presented as anti-social and misguided vs. just the way we know it must be done).

There as yet has been very little research done on what level or process of vulnerability dissemination provides the optimum benefit to society.

Anyone claiming to know a single answer that suffices for all instances should be prepared to substantiate the reasons.

It's also unfortunate that this particular article doesn't actually provide more information on the locksmith's debate from the 19th century. It is alluded to, but not discussed. Traditionally, the locksmiths have been against disclosure, not for it. —Preceding unsigned comment added by 139.149.1.194 (talkcontribs) 04:29, 8 April 2003 (UTC)[reply]

Well, the full-disclosure movement in internet security really took off in the early 1990s with the creation of the bugtraq mailing list, in response to several holes that were being actively, and widely, exploited. It was hotly debated at that time. This gives a pretty good example, and it may be possible to dig up some links to mailing list archives with good quotes... - Jmason 19:03, 1 August 2005 (UTC)[reply]

Suggest move to Full disclosure (computer security)

[edit]

Full disclosure also has a meaning within journalism.

I've already created the Full disclosure (journalism) stub. I suggest this page be moved to Full disclosure (computer security) and full disclosure become a disambiguation page. —Preceding unsigned comment added by Ben@liddicott.com (talkcontribs) 10:37, 1 October 2004 (UTC)[reply]

Disagreement with one sentence

[edit]

"However, this argument assumes that without disclosure such tools and attacks would not have occurred."

I don't believe that is accurate. The argument is that releasing detailed information and/or working exploit code makes a malicious person aware of a vulnerability they were not previously aware of, as well as giving them the method to exploit it immediately. —Preceding unsigned comment added by 65.5.246.150 (talkcontribs) 00:24, 7 September 2006 (UTC)[reply]

The flaw may or may not have been exploited by someone privately. The point is that now everyone knows about it, including more people who will want to exploit it. —Preceding unsigned comment added by 65.5.246.150 (talkcontribs) 00:27, 7 September 2006 (UTC)[reply]

In the future, you should sign your posts to avoid confusion. While I partly agree with your logic, I disagree with the overall point. You're assuming that the exploit code didn't exist pre-disclosure, which no one can say either way. If someone came to you and said "I know your password" - would you take the claim very seriously? You may or may not, and you may or may not change that password. If they came to you and told you WHAT your password was, you would be a lot more likely to change it as quickly as possible, right? That's the point here, it's entirely possible (and in some cases likely) that the code already exists - by releasing it, you're making it hard or impossible for the vendor to ignore the vulnerability. Eliwins (talk) 21:30, 20 October 2010 (UTC)[reply]

Vulnerability Brokers

[edit]

A section discussing vulnerability brokers would probably make a good addition. Noloader (talk) 03:39, 30 August 2010 (UTC)[reply]


Requested move 24 March 2014

[edit]
The following discussion is an archived discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review. No further edits should be made to this section.

The result of the move request was: Moved. EdJohnston (talk) 01:26, 1 April 2014 (UTC)[reply]


{{requested move/dated}}

– "Full disclosure" is a generic term widely used in many domains including business, securities, journalism, politics. It's usage in computer security is marginal compared to these others. Jojalozzo 16:52, 24 March 2014 (UTC)[reply]

Survey

[edit]
Feel free to state your position on the renaming proposal by beginning a new line in this section with *'''Support''' or *'''Oppose''', then sign your comment with ~~~~. Since polling is not a substitute for discussion, please explain your reasons, taking into account Wikipedia's policy on article titles.

Discussion

[edit]
Any additional comments:
The above discussion is preserved as an archive of a requested move. Please do not modify it. Subsequent comments should be made in a new section on this talk page or in a move review. No further edits should be made to this section.
[edit]

Hello fellow Wikipedians,

I have just added archive links to one external link on Full disclosure (computer security). Please take a moment to review my edit. You may add {{cbignore}} after the link to keep me from modifying it, if I keep adding bad data, but formatting bugs should be reported instead. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether, but should be used as a last resort. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 5 June 2024).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—cyberbot IITalk to my owner:Online 17:38, 29 March 2016 (UTC)[reply]

More history

[edit]

It looks that RFPolicy was the first policy of full disclosure, going back to 2001. Also some mentioned in Talk:Responsible_disclosure#reference_to_idefence_and_other.

I think it would be good to have all these listed together in one place.

Grv87 (talk) 00:09, 22 March 2021 (UTC)[reply]