responsible disclosure is a very much discussed topics these days as the MOAB (no, not that one – yes it is a cheap shot, but maybe there are people who didn’t read it on ten other blogs :)). Here is one blog entry which says:
I completely disagree with the decision for security companies, researchers and individuals to make information on vulnerabilties, or how to exploit them, public without following responsible disclosure – this is not very responsible Organizations should NOT do business with entities that put our networks at risk – period!
Needless to say I disagree with him completely, one of the reasons being that is
business suit type of person (a former Gartner analyst). That said, over on the securosis.com blog you can read a very detailed and very balanced description of the disclosure process and the problems with it.
If you still prefer to read this blog posts, here are the key points you should keep in mind when discussing vulnerabilities:
- The bugs are not created by the researchers. The bugs are created by the company (or rather the programmers of the company) so morally speaking they are responsible for it (unfortunately with most modern EULAs they have no legal responsibility)
- The fact that a bug is not widely known doesn’t mean that it’s not known at all. It is very possible that a limited set of people have knowledge of it and are using it for nefarious purposes.
- Given this fact, any disclosure whether its coordinated with the vendor or not, is a good thing / public service. Even more so when you consider that these very, very smart people do the work for free which the given company failed to do, even with the (hopefully) massive amount of money put in the QA department.
- One blog post pondered the fact that many people are in the
fame businesswhen publishing vulnerabilities, however you have keep in mind that: (a) as one commenter noted: even if they only supply a reliable way to reproduce the bug, this is enough for the programmers to fix it and (b) either there is a sudden increase in smart people (or at least who know how an XSS vulnerability works) or the quality of the programs if very, very low. Either way, remember: they are doing the QA departments job for free! (This is not to say that you should fire your QA department, but at least thing about bringing some of these people on your team)
- Finally, I have to wonder: would the verdict of the poster have been so harsh if the subject of the talk were business people (as opposed to technological people)?
In conclusion: this is a technological problem first and a PR problem second and should be treated by the companies that way. (Or better said: it is an economic problem first, so treat it like such: offer rewards for vulnerabilities and fix them as fast as possible – think of it as the cost you pay for not following strict security guidelines and rigorous QA testing)