• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

To Disclose or Not to Disclose?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
Rottz
Just Arrived
Just Arrived


Joined: 29 Mar 2003
Posts: 3
Location: East Coast, USA

Offline

PostPosted: Tue Jun 17, 2003 3:42 pm    Post subject: To Disclose or Not to Disclose? Reply with quote

When to Shed Light
By Dennis Fisher (dennis_fisher@ziffdavis.com)
Dennis Fisher wrote:
Until recently, software security vulnerabilities were discovered mostly by chance and by developers, security specialists or other professionals. Once the flaw was discovered, news about it spread slowly and typically by word of mouth on bulletin boards or perhaps the occasional security lecture.

The huge network of security researchers—independent or otherwise—who race to find the next big vulnerability in Windows or Apache, for example, is a recent phenomenon.

So, too, are the overlapping and interconnected mailing lists on which the researchers publish their vulnerability bulletins. Lists such as [url=online.securityfocus.com/archive/1]BugTraq[/url] and [url=lists.netsys.com/mailman/listinfo/full-disclosure]Full Disclosure [/url]were founded to give administrators and other IT professionals a place to get early information on developing software problems.

But the amount of publicity and attention security has commanded in recent years has brought new, less experienced and less disciplined people into the security community. This, in turn, has led to vulnerability reports being published before patches are available, bulletins being stolen from researchers' computers and posted without their knowledge, and a litany of other problems.
Full Article: When to Shed Light

I think full disclosure is an important part of security, but should be handled with care and thought of the global community. Depending on the threat level of the vulnerability, the vendor should be allowed a certain amount of time to fix the security flaw. If the vendor doesn't have the resources to fix the flaw in a timely manner, the security researcher, which publishes the vulnerbility, should provide a patch or decent workaround to allow administrators to protect themselves from the attackers to get the advisory and start scanning immediately for it. Not providing a patch or giving the vendor an acceptable time frame to fix the flaw is irresponsible and not thinking what is in the best interest of the global Internet community. You should disclose, but be responsible about it.

What is everyones views on disclosure?

Additional Links:
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Tue Jun 17, 2003 10:53 pm    Post subject: Reply with quote

I think disclosure is a must-have. It must be better organized so that all
affected parties can do their thing.

The software developers should get first crack at fixong the potential
leaks that exist in their programs.

If, after a certain time, the problem is not addressed by the vendor the
information should go public. Their lack of attention to, or their formal
refusal to address the issue, is license for the public disclosure.
Back to top
View user's profile Send private message
squidly
Trusted SF Member
Trusted SF Member


Joined: 07 Oct 2002
Posts: 16777215
Location: Umm.. I dont know.. somewhere

Offline

PostPosted: Wed Jun 18, 2003 1:36 am    Post subject: Reply with quote

I have to agree with Mongrel said. Full disclosure is needed, but it has to be handeled with care. Giving the developer(s) time to fix the issues is needed. However if they refuse to fix this issues, as was seen at the start of disclosure mailing lists (CERT) then the general public needs to be warned. Just like when a baby car-carrier is not correct or there is an error with a car that can cause issues.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Wed Jun 18, 2003 1:40 am    Post subject: Reply with quote

Full disclosure without any restrictions IMO.

If u knew of a pssoible remote exploit on your system you'd rather block that service for a few days (tellin the puntrs of course) untill the fix is release than sit their like a numpty and get hacked.


I found this out from experience and a boss that wouldn't listen to the threat!
Back to top
View user's profile Send private message Send e-mail
bsdjunkie
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 2


Offline

PostPosted: Wed Jun 18, 2003 1:49 am    Post subject: Reply with quote

Most people seem to agree with rain forest puppies policy

http://www.wiretrip.net/rfp/policy.html
Back to top
View user's profile Send private message
tutaepaki
Trusted SF Member
Trusted SF Member


Joined: 02 May 2002
Posts: 3
Location: New Zealand

Offline

PostPosted: Wed Jun 18, 2003 2:03 am    Post subject: Reply with quote

I agree with the initial disclosure only to vendors, and then full disclosure after a set period. The period should be short IMO, say 2 weeks maximum.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register