Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities
From: Matthew S. Cramer (mscramer_at_ARMSTRONG.COM)
Date: Fri, 8 Oct 2004 16:43:43 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
On Fri, Oct 08, 2004 at 10:43:02AM -0700, Martin Viktora wrote:
> First, you wrote that I do not really believe in "full disclosure"
> even though I clearly stated I am for it. I find it a little bit
> difficult to argue on that level of reasoning, but please allow
> me to clarify what I tried to propose anyway: I truly believe that
> vulnerability disclosure should follow these steps:
> 1. Vulnerability is discovered and the vendor is notified.
> 2. In time X, vulnerability existence is publicly announced
> without giving specific details. Users are urged to apply the patch.
> 3. In time Y, vulnerability???s technical details are disclosed.
> While this approach might not provide benefits in all cases, it
> certainly should not hurt either. We can of course argue what are
> the appropriate times X and Y but that would be for another
> discussion and I would be happy if we got there.
This behavior *CAN* most certainly hurt. In an organization of
sufficient size and complexity, rolling out patches is an expensive
process. Both patching itself, and also dealing with all the
things that break after the patch, cost the company a great deal
The problem is that with this limited-disclosure procedure I don't
know how the vulnerability works, so I don't know whether or not I am
vulnerable. I have to make these decisions for a Fortune 1000
company, so it kind of makes a difference. Do I have adminsitrators
drop their other efforts to deploy patches? Or can it wait? If I
don't understand the vulnerability, then I don't understand if the way
we use the software puts us at risk. I also can't identify any way I
can mitigate the risk in some manner more simple or cost-effective
The idea that every piece of software is patched immediately upon news
of a patch is silly for large corporations. I don't need to be told
we should patch, so those offering that insight should stay with their
home LANs or small shops where they aren't struggling with 5000
different PCs in 500 difference configurations. If I had infinite
money we'd patch everything all the time, but I don't, so we can't.
Knowing which patches require my immediate attention is based upon
reviewing vulnerability details, and doing a risk assessment of our
The limited disclosure approach tells the bad guys where to look, and
leaves the good guys left to gamble. If this continues to become more
popular it will certainly not be good for security professionals.
-- Matthew S. Cramer <email@example.com> Office: 717-396-5032 Infrastructure Security Analyst Fax: 717-396-5590 Armstrong World Industries, Inc. Cell: 717-917-7099 -- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. --