Re: What is a security bug?
* Jasper Filon:
> Well, obviously it is not a _security_ bug, since it has nothing to do
> with security.
Availability is typically considered one aspect of security (and
arguably the hardest one to get right in networked applications).
For example, here's a quote from FIPS 199:
| Security Objectives
|
| The FISMA defines three security objectives for information and
| information systems:
|
| CONFIDENTIALITY
|
| "Preserving authorized restrictions on information access and
| disclosure, including means for protecting personal privacy and
| proprietary information..." [44 U.S.C., Sec. 3542]
|
| A loss of confidentiality is the unauthorized disclosure of information.
|
| INTEGRITY
|
| "Guarding against improper information modification or destruction,
| and includes ensuring information non-repudiation and authenticity..."
| [44 U.S.C., Sec. 3542]
|
| A loss of integrity is the unauthorized modification or destruction of
| information.
|
| AVAILABILITY
|
| "Ensuring timely and reliable access to and use of information..." [44
| U.S.C., SEC. 3542]
|
| A loss of availability is the disruption of access to or use of
| information or an information system.
As far as as I know, these definitions are widely accepted and guide
most vendor security efforts.
Maybe the example I gave is not a security bug, but I think you need a
more convincing argument than "it's just a crash".
Reply to: