Security pundits and professionals have been asking whether publishing
a vulnerability's explicit details is worth the price of having that
information exploited by someone who doesn't necessarily have the skill
or understanding to either develop the vulnerability, or to appreciate
the consequences of their actions. One would think that the most
reasonable solution would be to distribute the vulnerability
information to the vendor and members of the security community, who
would then pass it along to their customers in a timely fashion.
If only it were that simple.
A major problem that arose with this idea is that "vendor", "security
community", "customer", and "timely fashion" are all relative to the
interpretation of whoever is proposing the solution. In the
collaborative world of open source software, the vendor can be anyone
from RedHat to the kid in her basement that wrote a patch to fix
another problem, which caused the vulnerability in question.
The security community has been bickering among themselves about who is
a member and who isn't, and, though the CISSP community is becoming
more visible, this issue isn't going to be resolved anytime soon. With
the propagation of open source software, the lines between user,
developer, vendor, and customer have blurred, and might better be
described as a continuum rather than separate entities.
In a recent editorial on Microsoft's TechNet, Scott Culp (known by many
as the human behind firstname.lastname@example.org) attempted to rebrand full
disclosure as "Information Anarchy". What seemed to be a reasoned plea
for prudence on the part of those who discover vulnerabilities, has
been taken as a shot fired over the bow of those who would publish
their findings, regardless of the participation of the vendor in
publicizing or fixing the vulnerabilities.
On November 2nd, Thomas C. Greene of The Register alleged that Culps
editorial is the first step in Microsoft's new strategy of creating
partnerships with researchers. Microsoft will provide internal
vulnerability and other data to them in exchange for their silence,
with the ultimate goal of keeping vulnerability information out of the
hands of the public, and ensuring that customers are dependant solely
on Microsoft for fixes. This can also be interpreted as an effort by
Microsoft to put their valuable intellectual property on the table in
exchange for the ability to protect their customers from malicious
hackers. Though it may seem charitable of Microsoft to tip its hand to
researchers who have made a close guess at what cards the company is
holding, this charity comes with what many see as a Faustian bargain.
This is a debate of principle, between the interests of a business and
its user community. From a business perspective, a customer going
public with a product flaw before giving you a chance to fix it would
be a nightmare. From a customer perspective, it would be a betrayal to
find out that a product your livelihood depends upon has dangerous
defects that were actively covered up by your vendor and may never be
fixed. By your very use of the product and by signing an
indemnification agreement with the vendor, you have no recourse except
lengthy posts to Slashdot, mailing lists (or if you are lucky, your
column), with run-on sentences, bad spelling, poor grammar, venom and
vitriol, that ultimately make you seem like more of a crank than a
This debate is still in its very beginnings.