Flaw finders go their own way

David Aitel, founder of vulnerability assessment company Immunity, has received criticism from software makers and security researchers for irresponsible disclosure of software flaws. Immunity discovered four flaws in Apple’s Mac OS X, but only provided the information to customers, keeping it secret from the public and Apple for seven months. While an increasing number of researchers delay announcing a flaw until software makers can release a fix–a process known as “responsible disclosure”–some believe that arrangement has made companies lax about releasing patches in a timely manner. However, many also consider it dangerous to release details of a flaw to the public before a patch is ready, since it can alert malicious hackers to the flaw. Opinions also differ depending on the company; one researcher says Apple essentially refuses to work with independent researchers who find flaws in Apple products.


Leave a Reply