Home > Blogs > Responsible disclosure

Should software vulnerabilities be revealed before a vendor is able to respond to these, with patches or other mitigations?

I love Monday mornings.  This is the time when all calamity breaks out.  Often, there's a new exploit released, and we're all in the receiving line for extra work.

Look, if you know of an application or operating vulnerability, disclose it to the vendor.  If the vendor is reluctant to respond, you are under no obligation to disclose the problem to the world.  It's reckless acts like these that make a bad situation only worse.

OK, I know the arguments already:

  • The hackers already know, so you're not revealing much.
  • Doggone vendors!  They need to act with more responsible haste!  How dare they doubt your technical magnificence????
  • If you don't reveal it, then others will, and THEY'LL get the acclaim.
Somehow, these arguments seem shallow and security defeating when so many must lob whatever security they can at a problem that is far larger--thanks to IRresponsible discloser postings.  These ignite the malware writers into faster production of toolkits and worm-ware.

Let's be honest, we all know that all software suffers from multiple and conflicting vulnerabilities at any given time.  We know that security options are more uncertain and less effective when people decide they have The Calling to disclose a vulnerability.  By doing so, we ratchet up the security pressure from hundreds of hackers to tens of thousands of script kiddies, multiple attack kits, etc.

What should you do?  Disclose the problem responsibly.  Those who want a record of their own brilliance should send a copy of their vendor communications via registered mail, without opening it.  This will establish that you were the All-Knowing One at a given time and date.

No one is saying we should ignore the problems of software insecurity.  Simply don't force an already volatile situation by recklessly encouraging active exploitation of a vulnerability you've discovered.

jt

Comments

comments powered by Disqus