You’ll take your full disclosure pill, and like it.

Just a month ago now, legal threats by Sybase directed at NGS Software were used to cease the full disclosure of eight holes in its product.  NGS Software disclosed their findings to Sybase and advised them its public disclosure would occur three months after that.  Sybase didn’t like that, but it all worked out in the end after they reached a settlement.  Could it be that Sybase didn’t have enough time to warn their customers about the upgrade?

Responsible disclosure of software flaws by vulnerability researchers has “significantly improved” the security of products, Powers said.

I concur. 

So what is responsible disclosure?  Talk to the security mailing lists and there is a difference of opinion.  Even Wikipedia references “full disclosure” as controversial.  I’d like to see the world take on the stance of “responsible disclosure”:

Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. This philosophy is sometimes called “responsible disclosure“.

I’d like to take that a step further, and break it down:

  1. Report the vulnerability to the vendor with a suggested patch,
  2. Obtain a response from the vendor and establish a patch release and public disclosure timeline in that order,
  3. Vendor releases tested patch,
  4. Full public disclosure is made with credits.

If the vendor does not respond, make a couple more attempts and then release the disclosure.  Mark it as “vendor MIA” or similar.  Note, the suggested patch is still included in the release.

If a suggested patch is unavailable, find someone who can help you.  If you cannot produce any of the above, list that in your disclosure timeline.  Show proof you have been responsible in trying to contact the vendor and/or produce a patch.  If the above fails, and there is nothing left except for the vulnerability report, then by all means have at it.  Release the report and let the chips fall where they may.  At least you’ve shown due diligence.

Timeframe?  Is three months too long?  Is eight hours too short?  Personally, I’ve always kept mine to below a month.  The idea is to get a patch out there quickly.  The less holes available for poking, the better.

.Text Blog System

Yes this is the first time I have the honor to use .Text, an ASP based web blog system here at MS MVPS.  I’ve been trialing the various templates, and most of them are pretty cool.  Some follow the MovableType styles.  One big difference between .Text and MovableType immediately noticed is that of when changes are implemented.  .Text puts them into action right away, whereas with MovableType (forget the PHP side of it), pages must be re-generated.  A bit of an annoyance as .Text seems more GUI friendly.  However, I haven’t seen the backend so I cannot compare the two.  Hence, I’m still getting adjusted to the different blogging infrastructure.

Greetings fellow netizens

Much to my surprise and excitement I was recently nominated and awarded the Microsoft MVP for Windows-Security in April 2005.  Because I did not expect to ever receive such a recognition, I’ve taken it seriously and with much joy.  Thank you to everyone for the award.  Along with this my wife Robin Laudanski also received the same award, and then a couple days later our first born child arrived.  Ergo, April 2005 is quite the experience!

I’d also like to thank Susan for creating this blog for me at  I hope I can continue to bring justice to the MVP title as all the other MVP giants do today.

To that end, I plan on using this blog for discussion of news and writing papers about security and privacy and all that is found within those huge melting pots.  So being that this is my first article, I just wanted to again express my sincerest thank you to all.  Security and privacy on the Net wouldn’t be as exciting if it were not for all the wonderful folks I’ve come to know through out the years.  You all have shown me the best of ways in communicating with others and generating positive healthy family environments.