The Full Disclosure Debate Gets Warm

Security pundits and professionals have been asking whether publishing

a vulnerability's explicit details is worth the price of having that

information exploited by someone who doesn't necessarily have the skill

or understanding to either develop the vulnerability, or to appreciate

the consequences of their actions. One would think that the most

reasonable solution would be to distribute the vulnerability

information to the vendor and members of the security community, who

would then pass it along to their customers in a timely fashion.

If only it were that simple.

A major problem that arose with this idea is that "vendor", "security

community", "customer", and "timely fashion" are all relative to the

interpretation of whoever is proposing the solution. In the

collaborative world of open source software, the vendor can be anyone

from RedHat to the kid in her basement that wrote a patch to fix

another problem, which caused the vulnerability in question.

The security community has been bickering among themselves about who is

a member and who isn't, and, though the CISSP community is becoming

more visible, this issue isn't going to be resolved anytime soon. With

the propagation of open source software, the lines between user,

developer, vendor, and customer have blurred, and might better be

described as a continuum rather than separate entities.

In a recent editorial on Microsoft's TechNet, Scott Culp (known by many

as the human behind security@microsoft.com) attempted to rebrand full

disclosure as "Information Anarchy". What seemed to be a reasoned plea

for prudence on the part of those who discover vulnerabilities, has

been taken as a shot fired over the bow of those who would publish

their findings, regardless of the participation of the vendor in

publicizing or fixing the vulnerabilities.

On November 2nd, Thomas C. Greene of The Register alleged that Culps

editorial is the first step in Microsoft's new strategy of creating

partnerships with researchers. Microsoft will provide internal

vulnerability and other data to them in exchange for their silence,

with the ultimate goal of keeping vulnerability information out of the

hands of the public, and ensuring that customers are dependant solely

on Microsoft for fixes. This can also be interpreted as an effort by

Microsoft to put their valuable intellectual property on the table in

exchange for the ability to protect their customers from malicious

hackers. Though it may seem charitable of Microsoft to tip its hand to

researchers who have made a close guess at what cards the company is

holding, this charity comes with what many see as a Faustian bargain.

This is a debate of principle, between the interests of a business and

its user community. From a business perspective, a customer going

public with a product flaw before giving you a chance to fix it would

be a nightmare. From a customer perspective, it would be a betrayal to

find out that a product your livelihood depends upon has dangerous

defects that were actively covered up by your vendor and may never be

fixed. By your very use of the product and by signing an

indemnification agreement with the vendor, you have no recourse except

lengthy posts to Slashdot, mailing lists (or if you are lucky, your

column), with run-on sentences, bad spelling, poor grammar, venom and

vitriol, that ultimately make you seem like more of a crank than a

crusader.

This debate is still in its very beginnings.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies