The Business of Full Disclosure
by Wyatt WalterI’ve been enjoying reading an interesting conversation at krebsonsecurity.com surrounding news that a security firm in Russia that is disclosing a number of vulnerabilities to a number of web and database server applications. They are releasing details over this week and the next two.
For as long as I’ve cared, I’ve always considered myself more of a “responsible disclosure” kind of a person. That is, until I heard an interesting argument that I’ve never seen very clearly articulated before. As a sysadmin, when a vulnerability in a web server (for instance) is disclosed, one can monitor for someone trying to exploit that vulnerability and stop it (or at least log what happens). Without that disclosure, one has no idea what software is vulnerable and known only to some black market somewhere. It’s odd, but humans are comforted in that way. It’s kinda like knowing that a $500 repair is coming for one’s car. It’s a lot easier pill to swallow when one knows about it, say a month or so in advance rather than being surprised by it.
However, there’s still a piece of the rationale behind Intevydis’s stance on immediate full disclosure that I still don’t quite grasp. Quoting from their blog:
You – ABCD company, making N millions per year selling your buggy XYZ product all over the world, why are you asking to give the results of the hard work during many years for free? Instead of wasting your and our time would not it be better to allocate resources to enforce good coding practices for all your amateur software developers?
Okay, so the main argument here is that they don’t want to give away their research for nothing. That is absolutely a fair thing to ask for. Knowledge and research isn’t cheap, so it’s not something that many people want to give away for free. I get it. However, I have to ask: How is full disclosure better than “responsible disclosure” (I’m using the quotes because I’m not sure how responsible so-called “responsible disclosure” is anymore) in that respect? Seriously, you don’t get paid for posting a blog entry about the latest exploit in [insert your favorite CMS here] that allows others to break into those CMSs quite easily every time one is found on the web.
And another thing, exactly who’s time are we wasting here? The developers of the software are obviously not wasting their time since they’re drawing in ‘N millions’ of dollars for the software they created. Yet, the research group is the one disclosing that they’ve found a vulnerability in the software, but they won’t tell anyone what exactly the flaw or bug is. Wait. Who’s time have we wasted now? My time for reading the report and yours for researching, finding, and sort of disclosing the vulnerability? Yes, that’s exactly who’s time was wasted. Of course, if one gets to this point in the game and are wanting money, they’re likely going to be written off as a blackmailer, but let’s be real. Either do work for pay or don’t complain about someone wasting your time for wanting you to backup claims with proof.
I really can’t grasp why full, immediate disclosure of vulnerabilities helps the problem of a revenue stream for this security company over “responsible disclosure”. There are a few indirect ways that these kinds of things can help their revenue such as consulting jobs due to exposure for finding a vulnerability. Of the ways that I can think of, though, there’s still room for a bit more of a “responsible disclosure” strategy than they are acknowledging. Not only that, but they’ve essentially burned a bridge with any software company that might hire them to do a penetration test on their network when they piss off said company.
There a ton more angles to this discussion that I simply don’t have time, nor do I suspect anyone would read much of it. However, I would like to hear from anyone who disagrees or has more to add to the discussion in the comments below.
Tags: security
Filed under Tech Trends :
Comments (0) :
Jan 12th, 2010
Follow whatan00b on Twitter