Bruce Schneier first raised the question of how AV companies responded in his 11/17 article in Wired magazine. At that point the argument was somewhat theoretical; if AV companies knew, then why didn't they say anything? Given their tenacious research capabilities it's hard to imagine they didn't know. As it turns out, someone did: Finnish AV firm F-Secure was aware of the Sony DRM rootkit feature in late September and made Sony aware of it on October 4th, according to Business Week. What F-Secure has done is made a valuable argument for ethical disclosure.

Consider this: at the time of their discovery there was no way to know how many computers had become affected. This was before Kaminsky had released his DNS findings and before a complete list of affected CDs was publically known. At this stage, based on publically available information, we can assume the total number of infections was relatively low. So why not make the findings public?

During early October there was a low incidence of XCP infection, and the installation of the software was elective. XCP does not come bundled with Windows or OS X. A user has to choose to copy the CD to their hard drive prior to infection. So given the low incidence of XCP infection and public disclosure being an excellent method to halt further infection, why didn't F-Secure make an announcement? Given my knowledge of the company history I have to assume there was a good reason. NDA's, lack of an uninstaller, or pressure from a larger company are all possibilities but the ultimate reason remains unknown.

There are merits and drawbacks to full disclosure, but largely only merits to ethical disclosure. Here the possibility for abuse was relatively low and the possibility for increasing security of end users was high. So the question remains, why weren't we reading about this in F-Secure's blog in early October?

Useful Links:
Schneier's Piece
Business Week
Kaminsky's DNS findings