Responsible disclosure
I also talked to a couple of people about the "responsible disclosure" movement. It seems that a number of people are working on legislation based on the "responsible disclosure" idea. That's exactly what I was worried about when I first heard of responsible disclosure. I thought that codifying responsible disclosure as a particular procedure, and fixing a particular number of days, would give strength to a proposal to create criminal liability for doing vulnerability disclosure any other way. And it looks like that's just what's happening now.
I haven't seen any legislation yet, but I understand lobbyists are already talking with members of Congress about it, and the response from the members of Congress has been quite positive. It's being painted as a "homeland security" or "infrastructure protection" issue (if people publish exploits, then the terrorists ... well, anyway).
Speaking of disclosure, I was pleased to get a chance to chat briefly with a representative of Snosoft, which had recently received a pretty well-known legal threat over disclosure.
