[widdershins] independent security researchers vs companies ?!

Fri Sep 9 14:22:11 EDT 2005

On Fri, 9 Sep 2005, Stuart MacIntosh wrote:

> 'responsible disclosure' is prone to corruption(bribes anyone?) and is
> not ultimately fair or responsible to the public or private. Security
> researchers are in a field of their own and have absolutely no
> obligation to grant 'grace time' to corporations or software developers.

You are partially correct.  Bribes?  Lets hear an example of this. As for 
providing grace time?  How is that not the responsible thing to do for 
*any* vendor including open source ones?  Giving the vendor time before 
disclosing the issue to the world lets them have an official patch ready 
so that those that actually care can install the patch and be done with 
it.  Just dropping the issue on the public increases the risk.

> I support full, public disclosure; which is not a problem but, the civil
> response to the greater problem of dodgy security.

Full, public disclosure, to me anyways, doesn't mean dropping an issue on 
to the public without notifying the vendor first.  Be it that you give the 
vendor 3 days or 30 or even 60 is up to the researcher involved (or the 
company paying the researcher) but at least giving them a heads up is the 
right thing to do.

I am making an assumption, by your domain name, that you support the 
dropping of a vuln to the public because you can simply write your own 
patch / modify the source / whatever rather quickly.  That is cool, and it 
does make a good argument but it is an argument that doesn't scale.

Open source software is being used in the corporate world -- which means 
you have a number of boxes that are potential targets with admins running 
them that do not have the ability to write their own patch, won't trust 
your patch, and will sit back and wait for their vendor to release an 
official one.

It is all about the risk.  The typical argument to this is usually; "well 
if xyz researcher/h4x0r found the bug that means others may have or 
already have".  Sure, that is a valid concern... but give me one real 
world example of this happening?

Lets take the last worm in the windows world we saw.  It exploited (among 
others) MS05-039 - the PnP Vulnerability.  If someone malicious, other 
than ISS, had discovered this bug prior don't you think we would have seen 
a worm long before the patch?  Don't you think we would have seen reports 
of Windows 2000 boxes being owned and no one knows why?

So sure, maybe a few guys found and knew about this bug.  But they sure as 
hell didn't abuse it on a mass scale (corporate espionage perhaps?) which 
is where the real percieved risk is at this point.