Slashdot Mirror
Firm To Release Database, Web Server 0-Days
krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."
This is like punishment.
The irresponsible party in this case, is the software vendor. If the vendor can't clean up their act, and at least work on fixing 0-day exploits, then public disclosure/humiliation is probably a good way to get at least some vendor to sit up, take note and do the right thing the next time around.
This sounds like a good case for establishing a procedure.
1. Contact vendor about exploit, with an expiry date.
2. Release information about exploit once date has expired, irrespective of whether bug is fixed, and the fix deployed.
Is there perhaps a clearing house for such things?
The term "responsible disclosure" is newspeak for "keep your mouth shut". The alternative to 'responsible disclosure' is that the vulnerabilties continue to exist for sometimes years, with wild exploits happening perhaps unknown for long periods of time.
I think it's okay to notify the company and give them time to fix the bug, but time on the order of years is completely unreasonable. On the Internet, a year is a very, very long time.
My blog