New article on vulnerability disclosure

I have been a big fan of Jennifer’s attitude toward vulnerability disclosure. This particular article discusses the subject of full disclosure for software security vulnerabilities. Is it wrong? Is it right?
Opinions vary. Mine happens to conflict with my employers (I side with Granick on this topic) so I have written about this weeks after discovering the article. Why so long? I wanted to make sure my name didn’t appear anywhere on the blog so my current employer doesn’t become my most recent employer. It’s a heavy price to pay for the volume of users this blog *could* reach. Ironically only one person has ever bothered responding to this blog.
Back to the topic at hand. The article demonstrates that disclosing the facts about vulnerabilities is helpful. Many in the industry don’t feel this way and will do anything to keep vulnerability information out of public hands. Including the very existance of the vulnerability. They [the software corporations] feel that circulating details about the vulnerability will only aid attackers. It is a unique situation for computer security since anyone with sufficient knowledge and an internet connected computer could in theory use the vulnerabilty to attack others. “In other scientific fields, for example medicine, an explanation of how to synthesize polio does not endow an audience with the particular tools necessary to do so.” *
The paper goes on to explain some of the containment methods for vulnerability details and their effectiveness. Perhaps the most lucid argument of this paper is the empirical proof that disclosure does work. There is solid evidence that the constant public exposure of buffer overflows has helped educate a community of software developers. This education has significantly reduced the number of buffer overflows in software. This isn’t to say that Buffer Overflows don’t exist anymore. But having spoken to security researchers the overflows certainly don’t exist like they used to. It is very difficult to find them in many of the applications that have been targeted by researchers over the last few years.


Post a Comment

You must be logged in to post a comment.