Home > Blogs > Full-Disclosure Wins Again
Full-Disclosure Wins Again
The full-disclosure debate is a polarizing one. However, no one can argue that disclosing a vulnerability publicly often results in a patch - and we just proved it again. In March we found the problem and reported it, and nothing was done. In August we posted the problem to FD, Bugtraq, and InformIT - and several days later a patch appears. Coincidence? I think not...
Earlier this year, I was introduced to EZPhotoSales, a web application you could buy to manage your online photogallery and sales. After looking at it for a bit, I realized the software was rather insecure. So, I contacted the company and informed them of the many bugs, to which they replied, "
Unfortunately EZPhotoSales has a number of flaws..." and basically said they were working on a new product and were going to let the old one alone due to time constraints. That was in March.
So, it comes August and the problem still isn't fixed, the new product still isn't out, and more people are exposing themselves and their hosts to potential attack. In addition, I found the software was a good example of a lot of things that go wrong when developing software, so I went public.
Guess what happened - a patch was released.
Would this have happened otherwise? I doubt it. In my mind, this is just another example of why full-disclosure does work.
Earlier this year, I was introduced to EZPhotoSales, a web application you could buy to manage your online photogallery and sales. After looking at it for a bit, I realized the software was rather insecure. So, I contacted the company and informed them of the many bugs, to which they replied, "
Unfortunately EZPhotoSales has a number of flaws..." and basically said they were working on a new product and were going to let the old one alone due to time constraints. That was in March.
So, it comes August and the problem still isn't fixed, the new product still isn't out, and more people are exposing themselves and their hosts to potential attack. In addition, I found the software was a good example of a lot of things that go wrong when developing software, so I went public.
Guess what happened - a patch was released.
Would this have happened otherwise? I doubt it. In my mind, this is just another example of why full-disclosure does work.
Account Sign In
View your cart
Comments
Having worked for companies which manufacture large software applications, there is a period of testing which must be gone through. Prior to that testing being completed, which takes at least 6-weeks for large applications, no projects are going to be released. They still contain bugs, problems, quirks, etc. If companies released patches or new software because of your article I would chalk it up to coincidence first as companies are very aware of the legal ramifications of releasing software which is broken. Unless there is phenomenal pressure, they won't do it.
By osproject, Aug 16, 2007 02:05 PM
These really paint the picture as to why FD is important. It not only fixed the software, but save customers a $50 security patch fee: "The way I will be getting around this with AfterShutter is by having the file generated by the server after initial install so it is only readable/writable by the server except in the few instances where the server and the user run under the same account. AfterShutter is do out mid April. It will run $200 but existing users will be able to upgrade for $50 making the total cost for an existing user less than that of a new user." "Unfortunately EZPhotoSales has a number of flaws. It was originally designed just for our personal use and we actually offered to have it open to everyone in the beginning but no one wanted to contribute. Then it started generating a lot of interest and we decided to see what would happen if we sold it and it became popular very quickly." "Unfortunately we're so far behind we just don't have any resources to fix EZPhotoSales and I'm not sure we could fix it all anyway without a rewrite which is exactly what AfterShutter is."
By Seth Fogie, Aug 15, 2007 10:25 AM
Log in to comment