Slashdot Mirror

← Back to Stories (view on slashdot.org)

What is Responsible Disclosure for Security Flaws?

Posted by ScuttleMonkey on from the moral-compass dept.

Silverdot writes "In an article on ZDNet, the author brought up a few cases of uneasy relationships between security researchers and software firms. While those who report the bugs should first seek to notify and work with the software firm to resolve the flaw, One researcher commented: "All researchers should follow responsible disclosure guidelines, but if a vendor like Microsoft takes six months to a year to fix a flaw, a researcher has every right to release the details." Should the onus be on the software firm to manage each issue and the relationship well, or does it fall to the morally responsible user?"

4 of 235 comments (clear)

  1. I did it! by Tachikoma · · Score: 2, Funny

    I'd be the first to tell people about my security flaws, hell i'd advertise them. I'm just going to make some half-ass excuse and blame someone else anyway. at least thats what all the k00l keds do dez d4yz.

    --
    i don't care
  2. I don't know about you... by jnadke · · Score: 3, Funny

    But when my holes are open I close them quick before someone shoves something in there... like a Trojan.

  3. Been there, done that by Anonymous Coward · · Score: 5, Funny

    Oddly enough, I used to work on a project for a huge company where this happened. We had a large search-engine like project that was running much slower on a 16 proc Sun box than I thought it should. I noticed that 40% of our traffic came from the same 5 subdomains, representing over 10 - 20,000 hits/hour. "Who uses a search engine that much?" I asked.

    Me: Something fishy is going on here.
    Boss: Report your findings to the project team.
    Project Team: Hmmm... that is fishy

    [weeks go by]

    Me: Something fishy is STILL going on here.
    Boss: Report your findings to the project team.
    Project Team: We don't have a disclaimer on our site that restricts the number of hits/hour. Contact legal.
    Legal: We'll get back to you.

    [weeks go by]

    Me: Something fishy is STILL going on here, and it's getting worse!
    Boss: Report your findings to the project team.
    Project Team: Did legal get back to you?
    Legal: We'll get back to you.

    [weeks go by]

    Me: Something fishy is STILL going on here, can I at least block them via hosts.allow or a firewall?
    Boss: Report your findings to the project team.
    Project Team: Hmmm... I don't know. Did legal get back to you?
    Legal: We'll get back to you.

    [weeks go by]

    Slashdot: "Your search engine is a known hack to alter page rankings at Google!"
    Slashdot Commenters: OH yeah, that's been a problem for a while. That damn company!
    Me: YIKES!! SLASHDOT has posted our company name in connection with fraud. AGAIN!
    Boss: FUCK! DO SOMETHING! This is a PR nightmare!
    Project Team: FUCK! DO SOMETHING! This is a PR nightmare!
    Me: Luckily, I have already written a script to do so. Give me a sec--
    Legal: We have shut down all admin access to this box, because there was this article on Slashdot, and we need to see if it's been hacked. We've opened a ticket.
    Me: GAAAAAHHH!!!

  4. Solution to the problem by Geak · · Score: 3, Funny

    Step 1) Find bug.
    Step 2) Write exploit
    Step 3) Write fix
    Step 4) Let vendor know about security flaw and show them the exploit. Tell vendor you want X amount of dollars for the fix within Y days or you will release said exploit publicly.
    Step 5) If vendor doesn't put up the dough or produce a publicly available patch within Y days, patent said fix and disclose exploit to the public.