You’ll take your full disclosure pill, and like it.

Just a month ago now, legal threats by Sybase directed at NGS Software were used to cease the full disclosure of eight holes in its product.  NGS Software disclosed their findings to Sybase and advised them its public disclosure would occur three months after that.  Sybase didn’t like that, but it all worked out in the end after they reached a settlement.  Could it be that Sybase didn’t have enough time to warn their customers about the upgrade?

Responsible disclosure of software flaws by vulnerability researchers has “significantly improved” the security of products, Powers said.

I concur. 

So what is responsible disclosure?  Talk to the security mailing lists and there is a difference of opinion.  Even Wikipedia references “full disclosure” as controversial.  I’d like to see the world take on the stance of “responsible disclosure”:

Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. This philosophy is sometimes called “responsible disclosure“.

I’d like to take that a step further, and break it down:

  1. Report the vulnerability to the vendor with a suggested patch,
  2. Obtain a response from the vendor and establish a patch release and public disclosure timeline in that order,
  3. Vendor releases tested patch,
  4. Full public disclosure is made with credits.

If the vendor does not respond, make a couple more attempts and then release the disclosure.  Mark it as “vendor MIA” or similar.  Note, the suggested patch is still included in the release.

If a suggested patch is unavailable, find someone who can help you.  If you cannot produce any of the above, list that in your disclosure timeline.  Show proof you have been responsible in trying to contact the vendor and/or produce a patch.  If the above fails, and there is nothing left except for the vulnerability report, then by all means have at it.  Release the report and let the chips fall where they may.  At least you’ve shown due diligence.

Timeframe?  Is three months too long?  Is eight hours too short?  Personally, I’ve always kept mine to below a month.  The idea is to get a patch out there quickly.  The less holes available for poking, the better.

Leave a Reply

Your email address will not be published. Required fields are marked *