Full Disclosure – how full is full?

Bruce Schneier says “full disclosure is the best tool we have to improve security“.

Woah, that’s rather like saying “wheeled vehicles are the best tool for ground transport of passengers”. There are many different kinds of wheeled vehicles, and there are many different kinds of “full disclosure”.

Most often, “full disclosure” means “complete and immediate public disclosure”. Such disclosure essentially acts like the starter’s pistol in a race between the malware authors and the software developer. I’d rather see the software developer get a head-start in that race.

Public disclosure was initially used as a reaction to vendors’ irresponsibility – Microsoft is the vendor most people think about, but these days a certain database company comes more instantly to mind as a company who, even when given the extra time before the starter’s pistol goes off, tends to hang around behind the stands, smoking a cigarette, and denying that there’s a race coming up.

Public disclosure is great as a punishment for current and ongoing lack of action – but as a punishment for past misdeeds, it’s very much cutting off your nose to spite your face. A vendor who is trying their best to be responsible now – even one who has always been responsible – has to deal with the fact that they have to start the race at the same time as the malware authors.

Worse, with so many different disclosure mailing lists, newsgroups, chat servers, web forums, etc, a vendor has to try and figure out a way to respond to the starter’s pistol at every athletic venue that might be hosting a race.

In such an environment, where it’s impossible for most vendors to spend enough time discovering the “exploit mailing list du jour”, this immediate public disclosure, stops well short of “full disclosure”, because it informs a large group of people that generally does not include the one group that can most widely spread a fix – the vendor.

In summary, it’s not full disclosure until you’ve disclosed – directly – to the vendor. It might be fun to think you’re taking the high-ground by punishing the vendor, but it’s more likely that you’re punishing the users by presuming that their best hope is going to waste time even if you notify them.

The true high-ground comes when you notify the vendor, so that if they’re worthy of punishment, you can tell the public that even after you notified the vendor directly and gave them every reasonable assistance, they still failed to act in the users’ best interest. Or, the vendor acts on your notice, and you still get to claim the high-ground, because your actions directly helped the users whose security was under threat.

So, yeah, I agree with Bruce – full disclosure is our best hope. But full disclosure doesn’t begin until you’ve disclosed to the developers / vendors, and I think it’s disingenuous of Bruce not to discuss what full disclosure means to him, versus what it means to others.

2 thoughts on “Full Disclosure – how full is full?”

  1. You ask, “how full is full?” You could read the article to which Bruce Schneier links. The student found a problem and told a professor, who in turn told a sysadmin, who fixed it.

    *You’re* the one confusing the issue. The “full disclosure” that Schneier discusses is simply reporting a vulnerability to a sysadmin privately. The sort of fearmongering you’re doing here is precisely the mindset that makes such private vendor vulnerability disclosure difficult.

    Either you can’t read, or you’re intentionally trying to make us all afraid of security researchers.

    People turn to full *public* disclosure because the attitude toward full *private* disclosure is less than responsible. You waste your breath slamming full *public* disclosure here. Instead, why not *celebrate* the responsibility that this student and professor showed?

  2. You make my point for me, by asking me to go “read the article to which Bruce Schneier links”. When Bruce makes a statement such as “Full disclosure is the best tool we have”, a vast majority of his readership applies their own version of a definition of “full disclosure”, and continues to cite Bruce Schneier’s support of whatever they feel he’s blessed them for doing.
    I’m not sure where you believe I crossed the line into “fearmongering”, however – I simply say that public disclosure does not equate to full disclosure, unless the vendor / developer is informed first.
    That this doesn’t apply in the case Bruce is citing is merely an indication that he should not be using broad strokes when a finer brush is necessary. He will be quoted by people who have not looked at the links; by journalists; by hackers looking for exposure and trying to justify themselves.

Leave a Reply

Your email address will not be published. Required fields are marked *