View previous topic :: View next topic |
Author |
Message |
Rottz Just Arrived
Joined: 29 Mar 2003 Posts: 3 Location: East Coast, USA
|
Posted: Tue Jun 17, 2003 3:42 pm Post subject: To Disclose or Not to Disclose? |
|
|
When to Shed Light
By Dennis Fisher (dennis_fisher@ziffdavis.com)
Dennis Fisher wrote: |
Until recently, software security vulnerabilities were discovered mostly by chance and by developers, security specialists or other professionals. Once the flaw was discovered, news about it spread slowly and typically by word of mouth on bulletin boards or perhaps the occasional security lecture.
The huge network of security researchers—independent or otherwise—who race to find the next big vulnerability in Windows or Apache, for example, is a recent phenomenon.
So, too, are the overlapping and interconnected mailing lists on which the researchers publish their vulnerability bulletins. Lists such as [url=online.securityfocus.com/archive/1]BugTraq[/url] and [url=lists.netsys.com/mailman/listinfo/full-disclosure]Full Disclosure [/url]were founded to give administrators and other IT professionals a place to get early information on developing software problems.
But the amount of publicity and attention security has commanded in recent years has brought new, less experienced and less disciplined people into the security community. This, in turn, has led to vulnerability reports being published before patches are available, bulletins being stolen from researchers' computers and posted without their knowledge, and a litany of other problems. |
Full Article: When to Shed Light
I think full disclosure is an important part of security, but should be handled with care and thought of the global community. Depending on the threat level of the vulnerability, the vendor should be allowed a certain amount of time to fix the security flaw. If the vendor doesn't have the resources to fix the flaw in a timely manner, the security researcher, which publishes the vulnerbility, should provide a patch or decent workaround to allow administrators to protect themselves from the attackers to get the advisory and start scanning immediately for it. Not providing a patch or giving the vendor an acceptable time frame to fix the flaw is irresponsible and not thinking what is in the best interest of the global Internet community. You should disclose, but be responsible about it.
What is everyones views on disclosure?
Additional Links:
|
|
Back to top |
|
|
Mongrel SF Mod
Joined: 30 May 2002 Posts: 8
|
Posted: Tue Jun 17, 2003 10:53 pm Post subject: |
|
|
I think disclosure is a must-have. It must be better organized so that all
affected parties can do their thing.
The software developers should get first crack at fixong the potential
leaks that exist in their programs.
If, after a certain time, the problem is not addressed by the vendor the
information should go public. Their lack of attention to, or their formal
refusal to address the issue, is license for the public disclosure.
|
|
Back to top |
|
|
squidly Trusted SF Member
Joined: 07 Oct 2002 Posts: 16777215 Location: Umm.. I dont know.. somewhere
|
Posted: Wed Jun 18, 2003 1:36 am Post subject: |
|
|
I have to agree with Mongrel said. Full disclosure is needed, but it has to be handeled with care. Giving the developer(s) time to fix the issues is needed. However if they refuse to fix this issues, as was seen at the start of disclosure mailing lists (CERT) then the general public needs to be warned. Just like when a baby car-carrier is not correct or there is an error with a car that can cause issues.
|
|
Back to top |
|
|
b4rtm4n Trusted SF Member
Joined: 26 May 2002 Posts: 16777206 Location: Bi Mon Sci Fi Con
|
Posted: Wed Jun 18, 2003 1:40 am Post subject: |
|
|
Full disclosure without any restrictions IMO.
If u knew of a pssoible remote exploit on your system you'd rather block that service for a few days (tellin the puntrs of course) untill the fix is release than sit their like a numpty and get hacked.
I found this out from experience and a boss that wouldn't listen to the threat!
|
|
Back to top |
|
|
bsdjunkie Trusted SF Member
Joined: 13 Jun 2003 Posts: 2
|
|
Back to top |
|
|
tutaepaki Trusted SF Member
Joined: 02 May 2002 Posts: 3 Location: New Zealand
|
Posted: Wed Jun 18, 2003 2:03 am Post subject: |
|
|
I agree with the initial disclosure only to vendors, and then full disclosure after a set period. The period should be short IMO, say 2 weeks maximum.
|
|
Back to top |
|
|
|