[olug] Security Vulnerability Disclosures

andrew olug at einer.org
Tue Mar 25 21:41:13 UTC 2003 

Well.  If I discover a vulnerability, and disclose it to your vendor, 
I'm sure that you'd prefer that I released the details to the affected 
vendors only.  This is not always how things work out.  In fact, there 
have been a couple of stories recently about security companies getting 
hacked and their recently discovered exploits being published in advance 
of the vendor's solution for the exploit. 

It's a double edged sword.  Full and immediate disclosure means a 
garaunteed period of time between discovery and patch.  Why deal with 
that when you can develop the patch and release the details for the 
exploit concurrently with your patch?  On the other hand, if you sit on 
the exploit long enough, someone else may find it and exploit it before 
you can patch it.  Then you're faced with the possibility that someone 
else could have patched the exploit sooner than you, thus preventing the 
spread of the exploit. 

The problem with your cancer analogy is that the doctor doesn't actually 
have the power to 'patch' cancer.  That is, there is no reason for the 
doctor to withhold information from you as releasing the information 
doesn't create a situation where cancer spreads faster.

I think that disclosing vulnerabilities as they are found is a bad 
practice.  A variable length grace period needs to be assigned to the 
publish date of each exploit.  The vendor should be able to fix most 
non-fundamental bugs in a short period of time.  Of course, among bug 
hunters, there is no prize for second, so take that fwiw. 

Andrew Holm-Hansen

Eric Penne wrote:

>I'm lookin for a rational discussion not a flame war on the benefits of
>full vs delayed disclosure of security vulnerabilities.  I know this topic
>generally borders on the flame war type of discussion but I'm reasonably
>certain OLUG is above this childish crap.
>
>I'm not a security professional by any means.  I run my small webserver
>for my family and another for a friend.  As the sysadmin though I put
>trust in the groups that I get software from.  One of those trusts is that
>the software is secure.  I think that if the software is found to have a
>vulnerability then it is my best interest to know right away so that I can
>take action to prevent my servers from getting cracked.  If that means
>taking my crappy little servers off line then I'll do that.  Another of
>those trusts is that the software group tells me or publicly posts
>information that I can find to alert me to the vulnerability.
>
>I know some corporations cannot take machines offline.  How much of this
>debate is about security, saving/making money from the security
>information, and pure public relations?
>
>In the end, I'm the person responsible for the ultimate security of my
>machine.  I don't like people knowing something about my machine (which is
>a reflection of me) that I don't know about.  If I had cancer, the doctor
>would not withhold this from me, because it is about me.  This is one of
>the reasons I like to use open source software.  Even though i don't go
>through the code to find vulnerabilities, somebody else out there may be
>doing it and they are not bound by some stupid EULA for non-disclosure of
>problems.
>
>The preceding was just a thought I had.  Comments, criticism, and general
>thoughts are appreciated.  Flames will be sent where they belong, file 13.
>
>Eric
>
>
>_______________________________________________
>OLUG mailing list
>OLUG at olug.org
>http://lists.olug.org/mailman/listinfo/olug
>  
>

More information about the OLUG mailing list