Manage Learn to apply best practices and optimize your operations.

Is a full vulnerability disclosure strategy a responsible approach?

When it comes to vulnerability disclosure, is it responsible for an infosec research firm to release all the details of a flaw before patching measures are in place? Expert Nick Lewis examines the question in this response.

Do you think campaigns like Abyssec security's "Month of Bugs" actually work to improve information security, or do they end up being more for show?
Abyssec Security Research's "Month of Bugs" has the potential to improve information security, as long as the researchers closely work with the companies and developers in whose software they find bugs . At this point, the research firm's goals appear to be to put additional pressure on software developers to create secure software, to release more technical details on vulnerabilities and to promote the company's research.

Abyssec is following a full vulnerability disclosure strategy. Since 1993 and the formation of the Bugtraq mailing list, there has been a significant disagreement regarding how vulnerabilities should be disclosed; the list was formed to discuss vulnerabilities regardless of the vendor response in order to pressure vendors into patching their software. One of Abyssec's goals in using full disclosure is to pressure software developers to fix their code faster than exploit writers can develop exploits, but, given the current speed exploits are developed, this is probably a losing battle for software developers. Abyssec is planning on releasing more details than are commonly released in order to assist security professionals with determining the amount of risk these vulnerabilities pose to their organizations, as well as with developing effective mitigation strategies. Promoting their company, however, is the most likely long-term result of the "Month of Bugs" campaign.

While some may question Abyssec's motivation, the fact that they are openly sharing the results of their findings -- rather than selling the vulnerabilities to the highest bidder on the black market -- will help improve information security, since all enterprises can freely use the information to make informed decisions. The stakes of employing such vulnerability disclosure tactics are high; however, until the vulnerabilities are patched, they're left wide open to exploitation by malicious attackers . If the researchers worked with software developers prior to announcing a vulnerability, they could help minimize these high costs to end users and also satisfy their goals.

This was last published in September 2010

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.