Discussion: Full Versus Responsible Disclosure

Question

Full disclosure in computer security means to disclose, via a public forum, the details of security problems in common software. It is also a philosophy of security research opposed to the idea of security through obscurity. Full disclosure has its flaws. Exploits are available for some flaws before the vendor issues a patch. Researchers revealed details of a Windows Meta File (WMF) flaw in Windows in December 2005 and exploit code was available within days. A patch (MS06-001) was not available for another two weeks.

Responsible Disclosure is Microsoft’s preferred method of discussing vulnerabilities and it involves telling the vendor about the bug and waiting for them to patch to vulnerability before discussing it. Meanwhile, the world sits on top of millions or even billions of vulnerable systems.

Responsible disclosure has its flaws. Researcher Mike Lynn discovered that Chinese hackers were actively exploiting Cisco’s Internetwork Operating System (IOS) in 2004 and notified Cisco of a critical flaw in all of their products. Six months later, Cisco issued a patch but never issued an advisory publicizing the flaw or fix. Eventually, Mike Lynn told the world at the Black Hat Conference in July 2005. His rationale was that the flaw was so critical to the health of the Internet that the world had to know. He was widely attacked and drawn into federal courts and is now under a gag order regarding Cisco products.

A more recent case is Johnny Cache and Dave Maynor’s demonstration at Black Hat 2006. They demonstrated how a third party wireless driver for an Apple laptop could be abused to take control of the laptop. However, they withheld specific details on how to "hack" the Apple. For withholding details of the exploitation, they were attacked in the press. The press was, in effect, demanding that researchers revert back to the days of "full disclosure".

Read the following remarks, do a bit of Internet research on the issue and draft your thoughts. When researchers find software bugs, should they tell the world or tell the vendor? What should they do if the vendor refuses to acknowledge the flaw or issue an advisory (which is very common)?

Resources:

Cryptographic researcher Bruce Schneier on Full Disclosure

http://www.schneier.com/crypto-gram-0111.html<span" class="redactor-linkify-object">http://www.schneier.com/crypto-gram-0111.html">http://www.schneier.com/crypto-gram-0111.html<span class="external_link_icon" role="presentation"></span>

<span" class="redactor-linkify-object">http://www.schneier.com/crypto-gram-0111.html"><span class="screenreader-only">Links to an external site.</span>

Responsible Disclosure by Corporate Fiat

http://www.securityfocus.com/columnists/120<span" class="redactor-linkify-object">http://www.securityfocus.com/columnists/120">http://www.securityfocus.com/columnists/120<span class="external_link_icon" role="presentation"></span>

<span" class="redactor-linkify-object">http://www.securityfocus.com/columnists/120"><span class="screenreader-only">Links to an external site.</span>

The Mike Lynn Case

http://www.wired.com/politics/security/news/2005/08/68365<span" class="redactor-linkify-object">http://www.wired.com/politics/security/news/2005/08/68365">http://www.wired.com/politics/security/news/2005/08/68365<... class="external_link_icon" role="presentation"></span>

<span" class="redactor-linkify-object">http://www.wired.com/politics/security/news/2005/08/68365"><span class="screenreader-only">Links to an external site.</span>

http://voices.washingtonpost.com/securityfix/2005/07/24-week/<span" class="redactor-linkify-object">http://voices.washingtonpost.com/securityfix/2005/07/24-week/">http://voices.washingtonpost.com/securityfix/2005/07/24-w... class="external_link_icon" role="presentation"></span>

<span" class="redactor-linkify-object">http://voices.washingtonpost.com/securityfix/2005/07/24-week/"><span class="screenreader-only">Links to an external site.</span>

http://taosecurity.blogspot.com/2005/07/mike-lynn-settles-it-appears-black-hat.html<span" class="redactor-linkify-object">http://taosecurity.blogspot.com/2005/07/mike-lynn-settles-it-appears-black-hat.html">http://taosecurity.blogspot.com/200... class="external_link_icon" role="presentation"></span>

<span" class="redactor-linkify-object">http://taosecurity.blogspot.com/2005/07/mike-lynn-settles-it-appears-black-hat.html"><span class="screenreader-only">Links to an external site.</span>

Johnny Cache and Dave Maynor's presentation: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Cache.pdf<span" class="redactor-linkify-object">http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Cache.pdf">http://www.blackhat.com/presentations/bh-usa-06/BH-U... class="external_link_icon" role="presentation"></span>

<span" class="redactor-linkify-object">http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Cache.pdf"><span class="screenreader-only">Links to an external site.</span>

Full Disclosure and why Vendors Hate it by Jonathan Zdziarski

http://www.zdziarski.com/blog/?p=47<span" class="redactor-linkify-object">http://www.zdziarski.com/blog/?p=47">http://www.zdziarski.com/blog/?p=47<span class="external_link_icon" role="presentation"></span>

<span" class="redactor-linkify-object">http://www.zdziarski.com/blog/?p=47"><span class="screenreader-only">Links to an external site.</span>

Details
Purchase An Answer Below

Have a similar question?