To disclose or not to disclose

imageThe second topic I’d like to raise in connection with the vulnerability in VMWare products is almost Shakespearean one. What should do a person or an organization in case they found a vulnerability? Tell the vendor and publicly disclose at the same time? Only publicly disclose? Notify the vendor and wait for a patch? There is a bunch of strategies, as you can see. As usual everyone has its own point of view on the problem. Microsoft, for example, follow theirs Coordinated Vulnerability Disclosure Policy. That does mean that they want the time to create and test a fix before public disclosure (so that to give the customers as little problem as possible) and will give anyone that time. Google drive Responsible Disclosure Policy, giving anyone 60 days to close the breach. The first option gives a vendor time to do really good testing, so that not to harm customers, but it may provoke them to procrastinate delivery of the cure. The second seems to force a vendor to fix an issue ASAP, but producing patches in the very best case can take up to 3-4 weeks. In some cases it can take even more time. Dissemination of the information about the vulnerability before the patch hits public availability may hurt even more than long waiting for the patch without public awareness of the security hole. Or, maybe not? The security is a strange area where there is no trustworthy statistics on many things.

So, I guess, everyone just will find their own way of disclosure (regardless what is the reason for the choice: belief, own statistics or marketing). The question is what to choose for myself? What am I to regard as acceptable for myself? The practice has showed that I am more on the MS side of the road: I will disclose the information to vendor (and to my company’s security officer,of course). But what will I do in case they don’t do anything? I have not been in such a situation,so it is hard to say. It will depend on the vulnerability severity, reaction of the vendor and time. May be somewhat later I will threaten the vendor with disclosure and then just disclose. Fortunately my contact with VMWare was not the case, so I still do not know how I would deal with it: from my report till the new version there was only 17 days.

I’m interested, though, what do you think on the issue?