Over at the nCircle blog Ryan Poppa concludes that debating disclosure policy is beating a dead horse because after many years of debate there is still no industry standard. The only positive things in his opinion is that the continuing debate introduces people who might not have heard all the arguments in this matter to the subject. I would like to add a further benefit:
If the industry manages to create a
standard regarding this subject, it will enable to use legal methods to persecute those who don’t follow these standards. And before you all jump at me and say that I’m a corporate fanboy, let me say that this would help researchers too, because they would have a policy which, if they follow, will greatly reduce the risk of any legal retribution (unless the industry manages to screw it up and decide that 6 months is the timeframe they should be allowed).
Finally, to all of the full disclosure fans: full disclosure as a method does not have any inherent benefits. The motivation for any responsible security researcher should be consumer protection and personal gain in that order! You can not make the argument that disclosing a complete description of the flaw (possibly with exploit code) helps the users of those products / services / etc. if you are not making the disclosure in a place where it is probable for that message to reach a large amount of the customers. On the flip side most
official places like the forums of a company are heavily moderated and most probably any such post will be deleted very quickly.
I don’t have the silver bullet either for this problem, but I would like to encourage anyone thinking about disclosing flaws to consider going first to the makers of the product, since they have the best means to distribute any mitigating information / patch / etc to the users of their products. Any different approach is immoral.