[Infowarrior] - From Black Hat: To disclose or not to disclose?

[Richard Forno]

>From Black Hat: To disclose or not to disclose?
Ericka Chickowski 4 Aug 2006 14:59
http://www.scmagazine.com/uk/news/article/576032/from-black-hat-disclose-not
-disclose/

Though there is still much dissension in the security world over what is the
right way to disclose security vulnerability, a panel of researchers,
vendors and end users all agreed at Black Hat yesterday that the disclosure
environment has improved over the last several years.

Some of the biggest points of contention were the perceived impact of paying
for vulnerability research, whether or not it is in the interest of end
users for vendors to disclose before developing fixes and how long a
researcher should wait for a vendor to respond to a reported security hole
before going public with the information.

While these heady issues cont, it was generally agreed upon that major
vendors have improved their response times during pre-disclosure talks with
researchers and softening their adversarial view toward the research
community.

"The top 10 (vendors) pretty much have it figured out," said Paul Proctor of
Gartner, who moderated the panel. "Microsoft is in the acceptance phase.
Cisco is slowly moving out of the anger stage and into the acceptance stage.
Oracle, on the other hand is just coming out of the denial stage and into
the anger stage."

Panelists attributed the improved relations between researchers and vendors
as a result of an acknowledgment by both groups that they are each trying to
help users even when philosophies may be at odds. They also said that groups
such as U.S. Computer Emergency Readiness Team (US-CERT) have helped to act
as a mediator between each camp when at a standstill regarding certain
security flaws.

This can be particularly beneficial when researchers begin to get frustrated
with unresponsive vendors and just want to go public with information
they've been sitting on for many months.

"I think we've been helpful in applying pressure to keep (vendors) moving
along," said Jerry Dixon, deputy director of operations for US-CERT.

Of particular interest to audience members was the debate over whether a
vendor should disclose a flaw to its customers before a patch is issued.

Vendors with representatives on the panel such as Microsoft, Sun and Cisco
typically view that kind of disclosure distastefully as they consider the
risk of propagating information about the flaw to be higher for users than
it would be if customer lacks the information to defend itself. But many
audience members, and researchers on the panel advocated for the knowledge
of such vulnerabilities as that can affect their decisions.

"It depends on the context, but if they were to do that, it could help
people with decision making," said Raven Alder, a security researcher on the
panel. "For example, if I knew right now that there was an unpatched OS X
vulnerability I probably wouldn't connect my computer to the network here at
Black Hat."

Of a show of hands approximately half of the security experts responsible
for enterprise systems would prefer full disclosure to being kept out of the
loop.

"Everyone's business is different," one audience member said. "You just
don't know our risks, so who are you to decide what is and isn't an
important flaw to disclose."