« Is security outsourcing a viable alternative? | Main | Security Roundtable Podcast, episode #3 »

July 21, 2006

More on rapid versus responsible disclosure

I wrote an article the other day called Fire! that was in response to a post by Martin McKeay, calling for instant disclosure of vulnerabilities.  Martin's premise was that vendors are not responding quick enough to responsible disclosure and the bad guys know about these vulnerabilities anyway.  Therefore, what was the use. I responded that I think responsible disclosure is still the best alternative, but if the vendor does not respond in a timely manner, than it is ok to go public.  Michael Farnum commented that he agreed with this view.  No less an authority (I say that only partially tongue-in-cheek) than Mike Rothman, also picked up on this and also agreed that responsible disclosure is the preferred way to handle this.  Now Martin uses the recent example of PayPal taking two years to respond to a found vulnerability to justify the instant disclosure argument.  I commented on Martins post, but wanted to fully respond here. 

In my mind the person who discovered this vulnerability and sat on it for two years because Pay Pal did not acknowledge it, is guilty of irresponsible disclosure.  The whole point of responsible disclosure is to give the vendor a reasonable time to respond. Two years is way beyond that.  However, I think that this example is the exception, rather than the rule.  I think for every PayPal example there are 10's, if not 100's of others, where the vendor does respond in a reasonable time.

Another point Martin makes is that responsible disclosure doesn't help against the bad guys, as they know about the vulnerabilities anyway. I think that is propaganda and without proof, I don't buy it.  In fact I think instant disclosure helps the bad guy.  Michael over at MCWresearch.com (who is a frequent reader of my blog it appears), has written a very well reasoned article on this that shows some real concrete examples of why instant disclosure helps the bad guys more than it helps anyone else.  No need for me to repeat what Michael wrote, but read it for yourself. It is very persuasive.

I think the vote is in on this one and responsible disclosure is the right way to go!


TrackBack URL for this entry:

Listed below are links to weblogs that reference More on rapid versus responsible disclosure:


My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.


Lijit Search

Blog powered by TypePad
Member since 10/2005