Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities
From: Martin Viktora (mviktora_at_KERIO.COM)
Date: Fri, 8 Oct 2004 10:43:02 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
First, you wrote that I do not really believe in "full disclosure"
even though I clearly stated I am for it. I find it a little bit
difficult to argue on that level of reasoning, but please allow
me to clarify what I tried to propose anyway: I truly believe that
vulnerability disclosure should follow these steps:
1. Vulnerability is discovered and the vendor is notified.
2. In time X, vulnerability existence is publicly announced
without giving specific details. Users are urged to apply the patch.
3. In time Y, vulnerability’s technical details are disclosed.
While this approach might not provide benefits in all cases, it
certainly should not hurt either. We can of course argue what are
the appropriate times X and Y but that would be for another
discussion and I would be happy if we got there.
So what are those benefits? I disagree with you that the value of
vulnerability’s technical details is worthless to the attacker
and that he can figure out the vulnerability as easily as if he
had that information. An application may consist of many binary
files that may be modified in hundreds of places. The vulnerability
might be a buffer overflow or some generic error in application’s logic
or just bad default configuration. Yes, eventually you will be able
to crack it but it is going to take time, determination and resources.
But with technical details, you are pointing out - here it is, in this
file, under precisely these conditions.
Without the technical details, depending on the motives, skills,
determination and resources of the attacker, one of the following will
1. It is really easy to figure out where the vulnerability is or the
attacker very skillful. He writes the malicious code and releases
it. Sad day for everybody.
2. It is not that easy to figure it out but the attacker is determined
and eventually he succeeds. However, any time we bought by not helping
him pays off. Every hour we won can mean thousands of system patched in
time. Not so sad day for hopefully a lot of people.
3. By not publishing details, we discouraged 200 script kiddies around
the world because it would be too much hard work and so much less fun.
Another 100 gave up after getting bored trying. No so bad day at all.
As can you see, I am not talking about the absolute security. But I say
if there is anything reasonable that we can do to prevent unnecessary
security incidents, we should try to do it.
Second, you say that vendors must work much harder at reducing patch
development time and I cannot agree with you more, especially after
what I stated above.
Third, anybody who is releasing information that may lead to unnecessary
security incidents is not doing a good thing. And that equally applies
to ISS’s release of Apache’s chunk encoding vulnerability.
-- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. --