Re: Towards a responsible vulnerability process

From: Thomas Reinke (reinke@E-SOFTINC.COM)
Date: 11/05/01 

Message-ID:  <3BE5C9FA.77BCE2A0@e-softinc.com>
Date:         Sun, 4 Nov 2001 18:06:34 -0500
From: Thomas Reinke <reinke@E-SOFTINC.COM>
Subject:      Re: Towards a responsible vulnerability process
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I have to admit I usually don't post here. But in this entire thread
(and previous one), and discussions in other forums, there is one
consistent piece of information (I feel) people are not observing.

Full disclosure is an accountability mechanism that takes into account
vendors' and users' motivations. Any large public company is motivated
by essentially financial gain (and the desire of its shareholders
to have a return on investment). The problem is that this can,
and often is, in direct conflict with what is best for users.
Financial motivation CAN result in:

   a) A desire to cover up problems (and thus reduce negative
      publicity that can harm sales)
   b) A desire to not bother fixing bugs (and thus reduce resource
      costs).

Yes, we can argue that there are a host of other factors to consider.
But the fact is that if organizations take a myopic view and only
considers how to be reactive to a problem (rather than proactive), you
get an organization that does exactly the above.

Full disclosure serves as the accountability mechanism to deter
this. It says "we (the community) will not allow you to cover up
problems, and we will not allow you to avoid fixing things, or you
will suffer both negative publicity immediately and your sales will
suffer in the long run".

Responsible full disclosure is (in my opionion) this mechanism
implemented in such a way to give the vendor a chance to deliver
a patch to users BEFORE the disclosure itself will unnecessarily
risk the user's systems by disclosing the problem before a solution
has been made available.

Yes, as has been pointed out, we've come a long way in terms
of vendors' attitudes (on average). But take away full disclosure,
and you lose the entire accountability mechanism that is currently
in place, and I'll guarantee you that the quality of software
would immediately suffer, at users' expense. (And by full disclosure,
I mean complete, full disclosure that allows us to absolutely
and without a doubt verify that a problem exists, and can/cannot
be taken advantage of. That means exploits are included. Anything
short of that will cause accountability problems.)

Thomas
------------------------------------------------------------
Thomas Reinke Tel: (905) 331-2260
Director of Technology Fax: (905) 331-2504
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com