Responsible Disclosure — 16 Opinions

An anonymous reader writes, "Disclosure. Just a word, but in the security field it is the root of progress, sharing knowledge and getting bugs fixed. SecurityFocus published an interesting collection of quotes about the best disclosure processes. The article features 11 big vendors, 2 buyers of vulnerabilities, and 3 independent researchers. What emerges is a subtle picture of the way vendors and researchers differ over how much elapsed time constitutes 'responsible.' Whereas vendors ask for unlimited patience, independent researchers look for a real commitment to develop a patch in a short time. Nice read." Wikipedia has an entry for "full disclosure" but none for "responsible disclosure."

Why there is no entry for 'responsible disclosure'

[John+Fulmer]

Wikipedia has an entry for "full disclosure" but none for "responsible disclosure."

It may be because 'full disclosure' has meaning in the security community, while 'responsible disclosure' does not.

All 'responsible disclosure' is is a set of general ethics and courtesy that security researchers give programmers/companies/entities in order to make an orderly repair of a vulnerability. It is a function of 'full disclosure', not something in of itself.

Slightly related: I've read things that liken 'full disclosure' to yelling "Fire!" in a crowded theater. I tend to think it of yelling "Fire!" in a theater made of flash paper doused in gasoline, while one of the jugglers is preparing to light his flaming torches.

In other words, yelling 'FIRE!' is permissible, if there is actually a high likelyhood of fire...

Re:If it involves Microsoft....

[MankyD]

Get the information in the hands of the users, so that they have a chance to protect their systems, instead of giving the vendor 5 days to look good.

Get the information in the hands of the users? What on earth are my parents going to do with information about a buffer overflow exploit?

Maybe you mean "Get the information in the hands of people who can fix the problem." That (with regards to the grand parent post) would be Microsoft (or whatever vendor we're talking about.) My parents are never going to find some 3rd party site to download a patch from in less than 5 days.

And what 3rd party are you going to trust?

Re:Why there is no entry for 'responsible disclosu

[QuantumG]

Sorry, no, that's bullshit. If you wanna make stupid analogies, at least get them right. Calling "Fire!" in a crowded theatre is absolutely perfectly ok, if there is a fire. However, if you know there is a fire and know that people will, sooner or later, get burnt, going for a stroll to the front office and asking to talk to the manager, tell him there is a fire, and have him say "Yeah, we'll get to that in about 120 days, on average" is not ethical. It's not responsible. It's participating in a conspiracy that belittles the people in the theatre and hampers their ability to make a valid risk assessment.

Re:What if the vendor doesn't act responsibly?

[maxwell+demon]

Well, there may be a middle ground between full disclosure and no disclosure. In certain situations you might be able to just disclose the danger and how to avoid it, without actually disclosing enough details for black hats to exploit it (although it of course gives them a hint where to search).

For example, "If you don't absolutely need it, switch off functionality X in product Y. I've found a serious vulnerabily in Y which is only effective if the option for X is set. An attacker might take control over your computer."

This would explain what the users need to know (activating X in Y currently is dangerous), without providing information which wouldn't help them (because they can't fix X anyway), but would help the black hats.