Comments (1)
Really appreciate you pointing that out @JLLeitschuh, I hadn't looked in a long time!
CC: @yesnet0 regarding public_disclosure
in the JSON array
Schema is completely flexible and was last edited Jan 23, 2021 :)
-
I'd personally would like to change any "yes" to true, and "true" to true for a start. Same goes for "no" -> false, "false" -> false, etc.
-
Since this is totally Open Source and run by visitors, users, maintainers (anyone who commits!) I'd love to see some expansion on the
public_disclosure
field.
Currently, only 13/4000 with a value for key public_disclosure
...
"public_disclosure": "",
"public_disclosure": "",
"public_disclosure": "",
"public_disclosure": "",
"public_disclosure": "",
"public_disclosure": "co-ordinated",
"public_disclosure": "discretionary",
"public_disclosure": "discretionary",
"public_disclosure": "discretionary",
"public_disclosure": "discretionary",
"public_disclosure": "discretionary",
"public_disclosure": "discretionary",
"public_disclosure": "no",
A radical approach could be default to true otherwise false, as per:
https://www.cisa.gov/coordinated-vulnerability-disclosure-process
Verbatim via CISA:
The CISA coordinated vulnerability disclosure process involves five basic steps:
1. Collection: CISA collects vulnerability reports in three ways: CISA vulnerability analysis, monitoring public sources of vulnerability information, and direct reports of vulnerabilities to CISA. After receiving a report, CISA performs an initial analysis to assess a vulnerability’s presence and compare with existing reports to identify duplicates. CISA then catalogs the vulnerability report, including all information that is known at that point.
2. Analysis: Once the vulnerability reports are catalogued, vendor(s) and CISA analysts work to understand the vulnerabilities by examining the technical issue and the potential risk the vulnerability represents.
3. Mitigation Coordination: After analyzing a vulnerability, CISA will continue to work with the affected vendor(s) for mitigation development and the issuance of patches or updates.
4. Application of Mitigation: When possible and where necessary, CISA may work with vendor(s) to facilitate sufficient time for affected end users to obtain, test, and apply mitigation strategies prior to public disclosure.
CISA is default disclose. See the end of part 4. As per normal good faith research, where possible, don't release before fixed.On the contrary, the last two words are default to public disclosure
.
On the contrary, public vulns, that wouldn't get a CVE (config, webapp, vendor facing, etc.) is the other thing. As @disclose isn't the CVE project, nor CISA, nor a Bounty Platform, I'm personally of the opinion that:
...in absolutely any case whatsoever, the researcher owns their own research, period.
The researcher found it, and it's their research and their journey. So unless they've happily signed an NDA etc. or are happy to do private bug bounty, vulnerability research remains the property of the researcher, which would include their discretion whether to disclose or not.
If the vendor wants to be a part of that, that's what the "joint and "coordinated" words are there for.
HackerOne has a simplified interpretation of their viewpoint, which makes sense for their view point, which would be non-public submissions (a.k.a private programs): https://www.hackerone.com/vulnerability-management/your-tldr-summary-cert-guide-coordinated-vulnerability-disclosure
More reading material, if appropriate: https://vuls.cert.org/confluence/display/CVD
Obviously full disclosure can't be a boolean hard true
/false
, so here's some possible things that could be discussed for the public_disclosure
key:
"joint"
"coordinated"
sometimes written co-ordinated
"public"
"NDA"
"no"
"private"
?
...
"sometimes"
from diodb.
Related Issues (20)
- Search is broken HOT 2
- Proper 404 Checking
- `jq -s '.[] | unique_by(.program_name)' < program-list.json > sorted_duped.json` HOT 4
- Add Gradle
- Define `partial` and `full` safe harbor
- Disclose.io HOT 1
- Revamp the contribution process HOT 3
- Revamp `README.md`
- 💡 Participate in Gitcoin Grants and Bounties HOT 1
- Add URL and email validations
- Footer social media link need to be fix and stale Copyrights HOT 2
- Plisio BugBounty HOT 1
- d53df6856bbafad4f7dd257ef9d96c56fd8700bcf d378d96a53dc695da2928f6i0 Length Tуре Timestamp 2582 image/webp
- add new program: Grafana Labs HOT 1
- https://liveclicker.com/trust/report-a-vulnerability/ Looks like there is no way to submit a vulnerability HOT 3
- add new program: inDrive HOT 1
- Brentley Systems Responsible disclosure program HOT 1
- add new program: Ashby HOT 1
- add new program: Target HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from diodb.