113857983356470409
Jeremy Rauch | January 29th, 2006 | Filed Under: Disclosure
One of these days, I too shall get around to doing Rick Forno’s survey. I find stuff like this fascinating, and I’m looking forward to reading his interpretation of the result. But for now, there are just a couple of items I saw in Tom’s post that I thought I’d touch upon.
Its worth mentioning that I’ve been a full disclosure supporter for years. But I’ve never been a proponent of hasty disclosure. We seem to like to paint everyone in to two camps — for and against full disclosure. What about responsible disclosure?
Tom, according to his survey, believes that vulnerability information should be made public as quickly as possible following its discovery. Uncharacteristically, he makes no attempt to explain his views. He must be saving it for a separate post where he’s going to give Peter Lindstrom a hard time again. Poor guy.
I think the problem with this question is its scope. What does “as soon as possible” mean? Discover a vulnerability, get a proof-of-concept exploit working, and post to Bugtraq? Or work with the vendor to get a fix implemented, while subtly pressuring them to get things done in a timely manner? Tom may be a strongly agree in his post, but I counter he’s just looking to be controversial. If degree of agree indicates a scope from “never release” to “release immediately”, Tom (and the rest of us) are really more in the “somewhat agree” camp. Or at least, I am. Full disclosure with exploit is a good stick to prod a vendor with, but I’m not convinced it helps the end user.
And to the question regarding notifying customers before fixes are available — how’s that work? Shutting down services outright might be the “moral obligation”, but is it in the best interest of the investor? As security people, we forget that, at the end of the day, security matters so long as it doesn’t get in the way of our corporate overlords making money. How long do we keep our jobs if we start shutting down critical services every time someone releases a vulnerability that no fix or workaround is available for?
Most importantly, why is my picture all screwed up in the ;login article I linked to above?
ps: to make up for this touchy-feely post, I promise to post something technically interesting next. I’ll leave the security punditry to those who are better at it.
