To Disclose or Not to Disclose?

Networking/Security Forums -> General Security Discussion

Author: RottzLocation: East Coast, USA PostPosted: Tue Jun 17, 2003 3:42 pm    Post subject: To Disclose or Not to Disclose?
    ----
When to Shed Light
By Dennis Fisher (dennis_fisher@ziffdavis.com)
Dennis Fisher wrote:
Until recently, software security vulnerabilities were discovered mostly by chance and by developers, security specialists or other professionals. Once the flaw was discovered, news about it spread slowly and typically by word of mouth on bulletin boards or perhaps the occasional security lecture.

The huge network of security researchers—independent or otherwise—who race to find the next big vulnerability in Windows or Apache, for example, is a recent phenomenon.

So, too, are the overlapping and interconnected mailing lists on which the researchers publish their vulnerability bulletins. Lists such as [url=online.securityfocus.com/archive/1]BugTraq[/url] and [url=lists.netsys.com/mailman/listinfo/full-disclosure]Full Disclosure [/url]were founded to give administrators and other IT professionals a place to get early information on developing software problems.

But the amount of publicity and attention security has commanded in recent years has brought new, less experienced and less disciplined people into the security community. This, in turn, has led to vulnerability reports being published before patches are available, bulletins being stolen from researchers' computers and posted without their knowledge, and a litany of other problems.
Full Article: When to Shed Light

I think full disclosure is an important part of security, but should be handled with care and thought of the global community. Depending on the threat level of the vulnerability, the vendor should be allowed a certain amount of time to fix the security flaw. If the vendor doesn't have the resources to fix the flaw in a timely manner, the security researcher, which publishes the vulnerbility, should provide a patch or decent workaround to allow administrators to protect themselves from the attackers to get the advisory and start scanning immediately for it. Not providing a patch or giving the vendor an acceptable time frame to fix the flaw is irresponsible and not thinking what is in the best interest of the global Internet community. You should disclose, but be responsible about it.

What is everyones views on disclosure?

Additional Links:

Author: Mongrel PostPosted: Tue Jun 17, 2003 10:53 pm    Post subject:
    ----
I think disclosure is a must-have. It must be better organized so that all
affected parties can do their thing.

The software developers should get first crack at fixong the potential
leaks that exist in their programs.

If, after a certain time, the problem is not addressed by the vendor the
information should go public. Their lack of attention to, or their formal
refusal to address the issue, is license for the public disclosure.

Author: squidlyLocation: Umm.. I dont know.. somewhere PostPosted: Wed Jun 18, 2003 1:36 am    Post subject:
    ----
I have to agree with Mongrel said. Full disclosure is needed, but it has to be handeled with care. Giving the developer(s) time to fix the issues is needed. However if they refuse to fix this issues, as was seen at the start of disclosure mailing lists (CERT) then the general public needs to be warned. Just like when a baby car-carrier is not correct or there is an error with a car that can cause issues.

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Wed Jun 18, 2003 1:40 am    Post subject:
    ----
Full disclosure without any restrictions IMO.

If u knew of a pssoible remote exploit on your system you'd rather block that service for a few days (tellin the puntrs of course) untill the fix is release than sit their like a numpty and get hacked.


I found this out from experience and a boss that wouldn't listen to the threat!

Author: bsdjunkie PostPosted: Wed Jun 18, 2003 1:49 am    Post subject:
    ----
Most people seem to agree with rain forest puppies policy

http://www.wiretrip.net/rfp/policy.html

Author: tutaepakiLocation: New Zealand PostPosted: Wed Jun 18, 2003 2:03 am    Post subject:
    ----
I agree with the initial disclosure only to vendors, and then full disclosure after a set period. The period should be short IMO, say 2 weeks maximum.



Networking/Security Forums -> General Security Discussion


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group