Schneier on Security
A blog covering security and security technology.
« How to Survive a Robot Uprising |
| New Zealand Espionage History »
January 25, 2006
Vulnerability Disclosure Survey
If you have a moment, take this survey.
This research project seeks to understand how secrecy and openness can be balanced in the analysis and alerting of security vulnerabilities to protect critical national infrastructures. To answer this question, this thesis will investigate:
- How vulnerabilities are analyzed, understood and managed throughout the vulnerability lifecycle process.
- The ways that the critical infrastructure security community interact to exchange security-related information and the outcome of such interactions to date.
- The nature of and influences upon collaboration and information-sharing within the critical infrastructure protection community, particularly those handling internet security concerns.
- The relationship between secrecy and openness in providing and exchanging security-related information.
This looks interesting.
Posted on January 25, 2006 at 8:24 AM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Hmmm.. now, if the survey primarily contains people who read Bruce S. Blog, will it be fully representative of the general public?
Check this out:
"I registered deusto.com in 1997. Now, eight years later, Planeta Agostini, one of the biggest publishing groups in Spain and owner of Ediciones Deusto, sends me letters via its lawyers demanding me to transfer them the domain, because they registered the trademark "deusto" in 2002 (I repeat, I registered the domain in 1997)."
Love to hear your take on this!!
It's kind of easy to see where Rick is going with this survey, but a couple questions threw me. For example I had a hard time understanding what he meant by this:
"Secrecy can be a convenient method to conceal management errors."
If you say no, does your answer get interpreted to mean secrecy is always inconvenient to conceal management errors? ("Can" as in possible).
So I'm the only one that sees "Tsk, Tsk, Tsk." when I go to the page?
I sure don't.
Sounds like it's a web site that is being blocked by a proxy? You on a corporate network?
Try TOR :)
I agree, some of the questions are leading. Some of them are also very subjective. I'd like to see the results of the study, just to see how they are presented.
Actually, I assume that site is blocking me, because of which large corporate network I happen to be on right now.
FWIW, I thought "Tsk, tsk, tsk" was your reaction to the site. Maybe you should be a little less subtle in future ;=)
Sorry about that. That's literally all it says when I go there, and I thought that's what everyone was seeing.
A agree with some fo the others that the questions were a bit leading (I agree with Davi?!?? Shocking!). Of course, rigging polls is more common than not.
My answer to several of the questions would be "it depends." I can think of some areas - for instance, a security flaw that only affects major core routers - that would be best shared only within the group of customers until a patch is available. Like everything else in life, some discretion is necessary. But IMHO the strongly preferred default is full disclosure.
Too many subjective ways to interpret the questions in this one. I'd like to see what quantitative formulas they use to analyze these results. Classic "survey 101" problems with this set of questions, but I am interesting in seeing the results nonetheless (just read the conclusions with your own serving of salt).
It's ironic that in order to take the survey on
security, you need to have set your browser to
poor security. I filled out the first page and clicked
"continue" and nothing happened. It requires that
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.