I'm not sure… but I think that a lot of people might be confused about what a vulnerability is. It seems to me that some people think researchers that are discovering vulnerabilities are magicians, making the vuln appear out of thin air. This is not the case, it already exists… it's waiting there for somebody to stumble across, and yes, people do stumble across bugs that have a negative impact. People also simultaneously discover the same bug. If Person A reports the bug and the vendor does nothing while Person B starts exploiting the bug then there's going to be problems. Yet if Person A publishes the bug while Person B is exploiting it, the vendor will likely respond faster and the solution will be expedited.
There's another discussion point that seems to be causing some confusion. There are people that apparently believe that releasing a vulnerability increases risk by increasing the likelihood of attack. This isn't actually the case and I'm hoping to set people straight right now, once and for all. Let's take a look at the pros and cons of publicly disclosing a vulnerability.
• Pros
- IDS/IPS, Vulnerability Management and Content Filtering vendors can ship protections and defenses to their customers much more quickly.
- The vendor will have to respond more quickly and issue a patch sooner.
- Enterprises and Individuals will know that the problem exists and can take precautions to prevent it from affecting their systems. Be it policy changes, software changes or applying mitigations.
- Attackers who may have been using the code for nefarious activities are going to see the number of days in which their attack is effective decrease as user awareness increases and mitigations are released.
• Cons
- Attackers MAY not have known about the vulnerability, so we may be sharing information with them.
The pros far outweigh the cons, so the only possible answer is that the benefits of public disclosure far exceed doing nothing. This doesn't mean I'm advocating for full disclosure… I actually prefer responsible disclosure but only if action is being taken and the vendor is working under an acceptable time frame (say 30 days). After those 30 days, public disclosure seems perfectly reasonable to me… and based on the pros and cons, logic agrees with me.
Comments (1)
I am pro-full disclosure and I agree with your pros and cons, but I'm going to pick on your statement that releasing a vulnerability doesn't increase the likelihood of attack. I think it does increase the likelihood of attack.
I think Metasploit modules and attacker web-injection toolkits help illustrate this point. How many attacks are not widely known, but get wide support only after fixes (or details) are released? Basically, yes, I think it increases the likelihood of attack.
But that certainly does not outweigh the benefits of full disclosure. I'm just nitpicking your wording. :)
You really want to get heads spinning, remind people (tech and non-tech alike) that for each vuln patched or released, there have been x number of years where that opening has existed for attackers to use.
Posted by LonerVamp | May 19, 2010 12:45 PM
Posted on May 19, 2010 12:45