Barry Greene wrote on 29/10/2021 13:15:
"The NCSC will try to resolve the security problem that you have
reported in a system within 60 days. Once the problem has been resolved,
we will decide in consultation whether and how details will be published.”
I would have expected you to council the researchers on responsible
disclosure principles.
there's a public statement about this from NCSC-NL:
https://www.ncsc.nl/actueel/nieuws/2021/oktober/29/aanstaande-bekendmaking-cvd-procedure-rpki
"In dit proces is een afweging gemaakt om de ontwikkelaar van
RPKI-client pas later te informeren. Deze afweging is gemaakt op basis
van het publieke standpunt van deze ontwikkelaars, namelijk steun voor
‘full disclosure’. De ontwikkelaars van RPKI-client hebben het NCSC
laten weten dat zij niet akkoord gaan met betrokkenheid onder embargo."
"During this process, a decision was made to inform the developer of
RPKI-client at a later stage. This decision was made on the basis of
the public standpoint of these developers, namely support for 'full
disclosure. The developers of RPKI-client have let the NCSC know that
they do not agree with involvement under embargo."
Looks like the NCSC got confused about OpenBSD's internal security vuln
management process, which involves full disclosure on their terms, and
the way they operate with disclosures from third parties / multiparty
engagement, which involves co-operation with the disclosing party / CERT
about mutually acceptable terms, including co-ordinated disclosure, i.e.
standard industry practice. Some public clarity from the openbsd people
would help here.
+ there was a screwup with the rcynic developers.
It's a bit much to claim that the openbsd (+ rcynic) people didn't agree
with involvement under embargo when the terms were apparently: we're
releasing details in 4 days and will only tell you what the problem is
if you agree to this.
Regardless of how this misunderstanding came about, this style of
approach doesn't form part of an acceptable vulnerability management
process.
Nick
