The demise of responsible disclosure

This is a column worth reading.  The author, Jennifer Granick, is the executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic.  She attended CanSecWest and debated issues around public disclosure regarding security flaws.  I didn't realize what all the issues were until I read her column.

Remember what happend to Michael Lynn last year at the Blackhat conference?  He disclosed a major vulnerability in Cisco router software.  Cisco sued him.  At the time, there was a huge uproar in the security community as everyone booed Cisco for their actions.  It sounds like we are going to see more of the same as companies get aggressive about protecting their financial interests. 

From what Jennifer is highlighting, there may soon be an end to responsible disclosure by security researchers.  Security vulnerability information has become a commodity.

"Copyright law can prevent a broker's paying customers from redistributing a patch to those who have not paid.  Trade secret law can prevent insiders or entities under nondisclosure agreements from informing the public about a flaw.  Patent law can prevent even those who independently discover the flaw from testing for it or patching it."

This is an extremely disconcerting trend.  I agree with Jennifer when she says, "Like clean air or public parks, the public needs vulnerability information."  The way things are shaping up, it sounds like big software companies can prevent the public from hearing about a vulnerability at all.