Re: Public disclosure of discovered vulnerabilities

From: Stephen Sprunk (stephen_at_sprunk.org)
Date: 05/17/05 

Date: Tue, 17 May 2005 07:10:42 -0500

"Douglas A. Gwyn" <DAGwyn@null.net> wrote in message
news:Gt2dnWCfkpxp7xTfRVn-sA@comcast.com...
> If you're talking about specific products, it makes
> sense to contact the developers and give them time to
> fix the problem before spreading the word. In the case
> of widespread (endemic) problems where it is not
> feasible to reach all the (potential) developers, there
> isn't much choice other than to publish the problem.

I think most folks consider that the reasonable approach, and it's the
one that many if not most white hats try to take.

Unfortunately, certain vendors absolutely refuse to fix a security hole,
often denying that it exists even when presented with irrefutable
evidence, unless it's made public and customer pressure becomes
significant. There's nothing to be gained by delaying public release of
the information when dealing with such vendors, since it just means
it'll be longer until a patch comes out and thus the bad guys have more
time to attack ignorant users.

In contrast, one vendor I worked with would fix security bugs and ship
patches (without telling customers what they fixed) as quickly as
possible but request that the person discovering it withhold public
release until (a) an exploit was seen in the wild or (b) six months
elapsed. The latter almost always held and so by the time they
announced the vulnerability, nearly all of their customers were already
running patched software. This is about the best response I can
imagine.

S 

-- 
Stephen Sprunk      "Those people who think they know everything
CCIE #3723         are a great annoyance to those of us who do."
K5SSS                                             --Isaac Asimov

Relevant Pages

  • Re: IBM obsoleting mainframe hardware
    ... less money with IBM and their other vendors than those who are current. ... the effort in supporting back-level customers. ... Many ISV product developers have a difficult time convincing management to drop support for those older environments even though they drastically hinder current development. ...
    (bit.listserv.ibm-main)
  • Re: Why is OO popular?
    ... What the customers initially think they want is sometimes ... > software developers? ... >>new technology and then depending on Marketing to convince the customers ... >>software developer responsibility. ...
    (comp.object)
  • Re: Attitude to defects
    ... By paying attention to these lists when scheduling ... Developers don't need to distinguish though: ... Don't waste effort on separating the sheep and goats, ... Customers don't care _why_ something doesn't work, ...
    (comp.software.testing)
  • Re: Just wondering... EvilOgre.com
    ... personally would love to see developers use my Encephalon components in their products and sell on EvilOgre.com. ... source from our personal source server if you plan to continue to sell and support the product elsewhere. ... I would like to be clearly distinguished as the original author, as long as your rebranding doesn't confuse the customers, I'm fine with it. ... When someone comes to see Encephalon components, ...
    (borland.public.delphi.non-technical)
  • Re: Programmer (or A Techinical person) in a Tester ...
    ... And then you report it ... And then if the bug happens again, boom - the developers have two ... Imagine the cook who just makes food or imagines his/her customers ... worse skills, nicht wahr? ...
    (comp.software.testing)