Mark Miller, director of the Microsoft Security Response Center, shares his opinions about the wisdom of sharing vulnerabilities with customers. “Responsible disclosure, reporting a vulnerability directly to the vendor and allowing sufficient time to produce an update, benefits the users and everyone else in the security ecosystem by providing the most comprehensive and highest-quality security update possible.”
A public, unfixed vulnerability also happens to be a lot of bad press/revenue loss for any company.
Not that the authors were thinking about profit margins, but still.
It’s funny how the language can be distorted to promote ideology. Responsible disclosure should be called Timely Disclosure, because Full Disclosure is also a form of disclosure that has its advantages.
Full Disclosure allows the development of patches by third parties, gives the users the opportunity to take their own actions (like substituting the vulnerable software) and diminishes the economical value of the “vulnerability market” of black hats.
In my opinion, Microsoft can be defending its interests and public image, but really it is not defending the interest of the consumers with such a comment.
The only thing that full disclosure of a vulnerability shouldn’t really give is a totally easy exploit that can be run immediately by a script kiddie.
In other words, full disclosure *is* a form of responsible disclosure, or maybe it is *the* form of responsible disclosure.
PS: Sorry about my poor English, it is not my native language.
Edited 2007-01-12 00:29
Could it be a reasonable compromise to report directly to the vendor(in this case Microsoft), and also report publicly about the exploit – yet not provide enough specifics to take advantage of it(yet still take precautions against it)?
I think no.
Normally, the security industry sees vulnerabilities without exploit code or instructions as “fake”.
If you think about it, a vulnerability is only dangerous if it can be exploited under normal circunstances. Vulnerabilities that are too much difficult to exploit are largely ignored by software vendors and researchers.
Some Firefox crashes, for example, were corrected only a year after discovery, because there was not a clear way to exploit them. And the changelogs even cited them as a potential risk of “remote code execution”. The exploit-ready vulnerabilities were corrected in the same week.
The problem with responsible disclosure is that it puts the onus on MS to be responsible and fix the bug quickly. We have seen from past history that they arent always willing to do this. And lets be honest. Just because someone reports the ug to only MS, doesnt mean that there arent hackers out there taking advantage of it already. Therefore, full disclosure is the only choice that protects the users first, albeit at the expense of MS. Of course it is usually their crappy programming in the first place that caused the bug, so I guess its only fair that they be the ones to pay the price.
Edited 2007-01-12 17:08
Some of the bad “full disclosures” that MS and other sites are totally the vendor’s fault.
Some researchers submit the vulnerability and had to disclose the issue after many months sans response. At the same time, vendors such as MS blast the security researchers for “endangering the public” while they themselves sit on their bottom and do nothing.
I’m not sure responsible disclosure is the answer. I tend to lean on having “full disclosures with mitigation strategies at the same time”. I think it’s better to make everyone of the problem and take measures to mitigate it.
Safety by “obscurity” through responsible disclosure would just encourage vendors to be lazy most of the time.
Why not, when an exploit is found, inform Microsoft One Week prior to public announcement, which demonstrates the exploit’s method(s)?
Just a little heads-up to the the techs, then go public.
This should, in time and with enough press, cause Microsoft to try and have the problems addressed even prior to the publication of the exploit!
Would be possible. And would make a great marketing campaign based off known figures 🙂 Or not, never know.
–The loon
Is it just my imagination..? If this was one of those OSS projects the conversation would go something like : “Cool! I’ve found a flaw you guys!! Now let’s fix it cause I’m a bit stuck. Need help please! THX
” Then the rest of the comunity would rush to be the first with a fix. The end.