What is Responsible Disclosure for Security Flaws?
Silverdot writes "In an article on ZDNet, the author brought up a few cases of uneasy relationships between security researchers and software firms. While those who report the bugs should first seek to notify and work with the software firm to resolve the flaw, One researcher commented: "All researchers should follow responsible disclosure guidelines, but if a vendor like Microsoft takes six months to a year to fix a flaw, a researcher has every right to release the details." Should the onus be on the software firm to manage each issue and the relationship well, or does it fall to the morally responsible user?"
Oddly enough, I used to work on a project for a huge company where this happened. We had a large search-engine like project that was running much slower on a 16 proc Sun box than I thought it should. I noticed that 40% of our traffic came from the same 5 subdomains, representing over 10 - 20,000 hits/hour. "Who uses a search engine that much?" I asked.
Me: Something fishy is going on here.
Boss: Report your findings to the project team.
Project Team: Hmmm... that is fishy
[weeks go by]
Me: Something fishy is STILL going on here.
Boss: Report your findings to the project team.
Project Team: We don't have a disclaimer on our site that restricts the number of hits/hour. Contact legal.
Legal: We'll get back to you.
[weeks go by]
Me: Something fishy is STILL going on here, and it's getting worse!
Boss: Report your findings to the project team.
Project Team: Did legal get back to you?
Legal: We'll get back to you.
[weeks go by]
Me: Something fishy is STILL going on here, can I at least block them via hosts.allow or a firewall?
Boss: Report your findings to the project team.
Project Team: Hmmm... I don't know. Did legal get back to you?
Legal: We'll get back to you.
[weeks go by]
Slashdot: "Your search engine is a known hack to alter page rankings at Google!"
Slashdot Commenters: OH yeah, that's been a problem for a while. That damn company!
Me: YIKES!! SLASHDOT has posted our company name in connection with fraud. AGAIN!
Boss: FUCK! DO SOMETHING! This is a PR nightmare!
Project Team: FUCK! DO SOMETHING! This is a PR nightmare!
Me: Luckily, I have already written a script to do so. Give me a sec--
Legal: We have shut down all admin access to this box, because there was this article on Slashdot, and we need to see if it's been hacked. We've opened a ticket.
Me: GAAAAAHHH!!!