Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Disagree On How, When To Disclose Bugs

Posted by Zonk on from the bugs-under-your-hat dept.

darkreadingman writes to mention a post to the Dark Reading site on the debate over bug disclosure. The Month of Apple Bugs (and recent similar efforts) is drawing a lot of frustration from security researchers. Though the idea is to get these issues out into the open, commentators seem to feel that in the long run these projects are doing more bad than good. From the article: "'I've never found it to be a good thing to release bugs or exploits without giving a vendor a chance to patch it and do the right thing,' says Marc Maiffret, CTO of eEye Security Research, a former script kiddie who co-founded the security firm. 'There are rare exceptions where if a vendor is completely lacking any care for doing the right thing that you might need to release a bug without a patch -- to make the vendor pay attention and do something.'"

5 of 158 comments (clear)

  1. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  2. Re:Opinion Swing? by Nasarius · · Score: 4, Informative

    You seem to assume that the exploit won't be discovered independently by someone else who isn't quite so altruistic. If they won't fix it, people who are using the software have a right to know that it is vulnerable.

    --
    LOAD "SIG",8,1
  3. Re:Opinion Swing? by bmajik · · Score: 2, Informative

    They have something sort of like that. If you are the first to responsibly disclose a bug, during the security bulletin, you or your organization will be thanked in the bulletin for disclosing it. I think there is some kind of rudimentary financial compensation. ($500 comes to mind?) also, but i can't find any record of it currently.

    http://www.microsoft.com/technet/security/bulletin /policy.mspx

    If you search "microsoft.com" for "responsible disclosure", many of the recent security bulletins list who reported it to them properly.

    --
    My opinions are my own, and do not necessarily represent those of my employer.
  4. Re:Opinion Swing? by Anonymous Coward · · Score: 1, Informative

    Ehm... no. Over the last years Microsoft has perfectly shown that Responsible Disclosure doesn't work. You tell them a couple of bugs, they won't fix. You post it on Securityfocus, the moderator doesn't approve it. The public doesn't get informed, the bugs remain and get exploited.

    BTST too often.

    What was it about IE being unsafe for 281? Utter bullshit. I've compiled a list of crtical bugs that remained unpatched since 2004, hence IE was never safe since then. They are publicly known, Microsoft knows them, but they won't fix and as long as no CVE entry exists, these bugs are claimed to be non-existent.

  5. Re:Depends on the nature of the bug by git68 · · Score: 2, Informative

    if you're not using them then they shouldn't be open anyway. ;-)

    --
    sigpending(2)