Tip

Use 2004 to strike a blow for responsible disclosure

Scott Blake, Guest Contributor

Security and IT managers should use the New Year to make a difference in the way vulnerability information is made available to the bad guys.

A set of guidelines for vulnerability reporting released by the Organization for Internet Safety (OIS) recommends a 30-day grace period be observed between when a patch becomes available and technical details of the vulnerability are released. By understanding the policies that vendors and security researchers use to disclose vulnerability information, managers can make decisions about whom to do business with based on whether they follow this advice.

If customers insist that software vendors follow the guidelines and refuse to employ researchers who persist in releasing full technical details of vulnerabilities before fixes are available, we can start to turn the tide.

It used to be that when someone found a security flaw in a piece of software, reports to the vendor requesting a fix were often greeted with threats of lawsuits. Happily, those days are largely behind us, due in large part to the public release of vulnerability information. Pressure from the vendors' customers, and wariness of bad public relations, has driven software companies to take the security of their software seriously -- not to mention the desire to use good security as a competitive differentiator.

These days, software vendors that intentionally ignore vulnerability reports or threaten backlash to researchers are few and far

    Requires Free Membership to View

between -- though it does still happen. Full disclosure of vulnerability information succeeded in demonstrating that security flaws in software couldn't be ignored. Unfortunately, wide dissemination of the technical details of using vulnerabilities has also succeeded in making their widespread exploitation nearly trivial. Code that demonstrates vulnerability is typically very easy to transform into a tool a malicious person can use to break into systems.

It's no longer necessary, in most cases, to wield the club of full, immediate disclosure to motivate software vendors to fix flaws in their software. Rather, we suggest that delaying the full disclosure of technical detail doesn't hurt the interests of those with legitimate need for the information, but denies aid to those who seek merely to exploit the problem.

For example, scientific research on software engineering that seeks to analyze large bodies of vulnerability information over time must have full technical information about vulnerabilities, but has no need for that information in the first thirty days it's available. Similarly, a system cracker looking for new ways to break into systems seeks to have information about vulnerabilities that no one else has, or at least that others haven't had a chance to react to. For the system cracker, so-called zero-day (pre-disclosure) vulnerability information is the best, but few have an opportunity to install the patch on the first day it's released, so many systems could still be broken into in the first few days. Technical details about the vulnerability help system crackers develop exploits more quickly.

In 2004, the security community has an opportunity to try a different approach. The OIS guidelines are a starting point for changing the way we think about the requirements of disclosing vulnerability information.

About the author
Scott Blake, CISM, CISSP, is VP of information security at BindView. Opinions expressed in this article are those of the Organization for Internet Safety.


This was first published in December 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.