News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Martin McKeay's picture
Martin McKeay

Security Matters

More posts | Read bio

July 18, 2006 - 10:22 A.M.

Who really benefits from responsible disclosure?

7 comments

In case you hadn't heard, HD Moore has been publishing a vulnerability a day ; specifically an Internet Explorer vulnerability each day.  Microsoft hates him for it, hackers hate him for it, and he has once again sparked debate on  the concept of responsible disclosure.  Perhaps we should start talking about a new concept, responsible patching.  If Microsoft hadn't taken 6  months to address the issues Moore brought to their attention, maybe he wouldn't be putting this information on the Internet.

But HD Moore's actions bring up a very important point: responsible disclosure isn't working because hackers already know about many, if not most, of the vulnerabilities that Moore is exposing.  So who is 'responsible disclosure' really helping?  It helps the vendors because it gives them time to create patches at their leisure and it keeps them from receiving bad press.  It helps the hackers because they have a lot more time to exploit the vulnerabilities.  But it's not helping the white hats who are finding the vulnerabilities and, most importantly, it's not helping the people who are actually using the software.

I think it's time to re-examine responsible disclosure.  Having the timelines defined by the vendors doesn't work.  They have too much invested in pushing off disclosure as long as possible.  So who do we make the arbitrator of the system?  The government is the wrong answer for a multitude of reasons, such as which government and what legal system.  We could create a neutral third party that vulnerabilities would be reported too and would set timelines for the vendors, but that's also fraught with questions of enforcement and responsibility.  Quite frankly, there is no easy answer to this issue.

I'm starting to believe instant disclosure by security researchers is the best solution.  Tell the vendors and the public about the vulnerabilities at the same time.  There will be some instances of the hackers getting new toys to play with, but there's plenty of evidence that they're already using known, but undisclosed, vulnerabilities.  It would force the vendors to respond in a timely fashion or face negative publicity for their bugs.  And hopefully it would give us enough information to put in place some mitigating controls until the patches are ready.

Tell me what you think.  I'm sure there are a lot of differing opinions out there.

What People Are Saying

Add new comment

Maritn - I'm CTO and

Submitted by Mitchell Ashley on July 21, 2006 - 9:40 A.M.

Maritn - I'm CTO and co-found of StillSecure with Alan Shimel. It's really time to call "foul" on the current vulnerability notification process. The reality is that it has become more about public relations that forewarning users or aiding others to protect their networks. Case in point; Symantec on July 19 announced vulnerabilities in the early builds of Microsoft Vista. What's the aim of such an announcement? It's not to forewarn users, it's to draw attention to Symantec and pile on more negative publicity to Microsoft. That's the equivalent of "crying wolf" which does far more damage by desensitizing everyone from real threats. When it is a pot shot then let's call 'em like we see 'em.

Mitchell

Report this comment

This debate will go on and

Submitted by Richard Parkes on July 20, 2006 - 5:17 A.M.

This debate will go on and on. What is needed is an industry standard recognised approach to responsible disclosure that jointly benefits the end user, researcher and Vendor.

Specifically, responsible disclosure should (as far as possible) be governed by benchmarks that allow all concerned to measure "timing" aspects of both the initial disclosure and patch development/cycle.

e.g. If the defacto standard for a Critical IE vulnerability turnaround is 3 months (in the words of MS) then we have something by which to measure their performance. If they fail to achieve this date (in my opinion) the researcher has the right to go public!

In support of the above, look at the vulnerability publicly disclosed last November by the British Security company Computer Terrorism (UK) as read here at CW. The issue in question was reported to the vendor as early as May, but MS did not acknowledge the vulnerability as serious. As a consequence, the Security firm decided to go public drawing attention to the fact that the issue was VERY serious indeed.

The net result was a patch within 2-3 weeks.

The current unwritten disclosure process serves only to protect the Vendors bottom line – not the end user and/or researcher!

Report this comment

The real problem with

Submitted by Mike Amling on July 19, 2006 - 3:08 P.M.

The real problem with responsible disclosure is that it treats vulnerabilities as business-as-usual. With instant disclosure, and to a lesser extent with the current "system" (i.e. the hodgepodge of disclosure policies), the vendor's best method of preventing bad press is vulnerability prevention. Prevention also benefits the consumers and the community at large. Maybe on some planet vendors are doing all they can to prevent vulnerabilities, but not on mine.

Report this comment

Vulnerability researchers

Submitted by Augusto Paes de Barros on July 18, 2006 - 3:16 P.M.

Vulnerability researchers have the right weapon in their hands to push vendors on faster response times for security issues. I think that the best sample of how this should be done is David Litchfield. He does responsible disclosure, and uses gradually public advisories to push vendors (in his case, Oracle) to a more responsible attitude. HD Moore is being a bit selfish on this IE case, IMHO.

Instant disclosure brings too few benefits to victims (most cases don't have usable workarounds) and huge benefits to a very broad black hat community. I think that the fact that there could be people exploiting the undisclosed vulnerability doesn't mean the rest of the bad guys should also know it.

A mixed approach, with instant announcement of an open issue, without further details (only the product affected and the date when the vendor was informed) is the best option. Public disclosure can be used later if the vendor refuses to fix the hole.

Report this comment

The analogy of a fire in a

Submitted by Martin McKeay on July 18, 2006 - 2:55 P.M.

The analogy of a fire in a crowded theater cuts both ways; what about the vendor who's trying to hide the fire, hoping they can put it out before anyone notices. Alan and I have had part of this conversation in a Security Roundtable recording we did last night, I'll let you know when it's online.

I like the quote, by the way.

Martin McKeay
martin_cw@mckeay.net
http://www.mckeay.net/
http://www.securityroundtable.com/
Voicemail: 916.231.9479

Report this comment

Martin and Alan, I posted

Submitted by Michael R. Farnum on July 18, 2006 - 1:54 P.M.

Martin and Alan,
I posted about this on my last CW blog post, and I said that I have some issues with how HD Moore is doing this. However, if you give the vendor as much time as HD Moore has given MSFT, then you have to start doing something to get it fixed. So I agree with Martin on this one.

Michael

Better be despised for too anxious apprehensions, than ruined by too confident security.
Edmund Burke (1729 - 1797)

Report this comment

Martin - as we spoke about

Submitted by alan shimel on July 18, 2006 - 12:19 P.M.

Martin - as we spoke about last night on the security roundtable podcast. I really think instant disclosure is akin to yelling fire in a crowded movie theater. I will be writing a formal response in my blog at
http://ashimmy.typepad.com

Report this comment

Related Posts

MS Software Ass. upgrades, spy-wary of Vonage (and cook egg on Mac)
Right to privacy (protection)?
Los Angeles goes Google; dumps GroupWise; shuns Microsoft; ignores IBM
Gartner sued by ZL re. Magic Quadrant; huge damages claim

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
First take: Apple's new MacBook offers sleek style, solid performance
Elpida inks DRAM tech, outsourcing deal with Taiwan's ProMOS
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.