The "full disclosure" vs "responsible disclosure" debate has been going on for years, and I doubt it will ever end but recently we seem to have hit a point of critical mass. First we had the "no more free bugs" movement and more recently we have had a series of 0-day vulns dropped under the guise of "full disclosure". I say that it's under the guise of full disclosure because it's not full disclosure. FD is about making companies that refuse to acknowledge vulnerabilities stand up and deal with them... it's not about tooting your own horn and saying "hey look at me". I'd like to think that my arguments in favour of FD in the past give me some ground to stand on as I begin this little diatribe.
Things that are happening lately, and by things, I mean Tavis dropping the Help and Support Center 0-day 5 days after notifying Microsoft, do not qualify as FD. It's being called FD but it's not. Full Disclosure is not the absence of Responsible Disclosure, it is, in the end, an extension of it, designed to call out companies that are not responsive to RD.
Dropping this 0-day was a stupid thing to do... there's no room for additional discussion to be had; it's a plain and simple point. If Microsoft had not acknowledged it after a month, or refused to fix it, then sure... use FD as it is intended... but that's not what happened. My comment is the office after the 0-day was dropped was that my next blog post should be entitled "Tavis is the new Gobbles".
I've been, on occasion, a fairly harsh critic of Microsoft, but in this situation I imagine I was doing the same thing that they were doing. If I were in a cartoon, I'd have had a thought bubble that simply read, "WTF?" but I suppose that people will do what they want to do.
I had intended to leave this topic alone but Brad Spengler posted to DailyDave yesterday and inspired me to write this post. In his post he decided to take the FD another step backwards and present Tavis with kudos for waiting only 5 days. He also called out a number of individuals for speaking against the claimed "FD". This list included Robert Hansen and Andrew Storms, two people I respect and consider to be good friends.
Robert's post on the subject was one of the first I read, and I found myself agreeing with it. I tend to run things by my employer before I discuss them if I expect controversy, whether I'm writing about them here or on my personal blog. We then look at the best way to approach something and handle it in a responsible manner.
As for Andrew, Brad chose to simply insult him and his intelligence. I've worked with Andrew for four years and we don't always see eye to eye (he's responsible for protecting our network and I want to break it :) ) but we're always chatting about things that are happening in the industry and our thoughts on them. On Patch Tuesday, if Andrew points to a patch as being an important one to apply, you can be damn sure that, from the enterprise point of view, it's the first one you want to apply. He's not pointing to specific vulnerabilities and talking about their inner workings, he's speaking as an experienced Director of Security Operations with regard to enterprise networks. It is unfortunate that Brad decided to ignore this and simply made a personal attack.
In the end I think that both Tavis and Brad brought us back a step. The actions that Tavis took indicate that he feels that Full Disclosure and Responsible Disclosure are completely disjoint from each other, while Brad resorted to personal attacks as a defense mechanism.
In the end, until the security community can accept that Full Disclosure exists within Responsible Disclosure we're going to have continuous FD debates. Personally, I'm getting tired of reading them and wish people would acknowledge that tagging something with "Full Disclosure" doesn't absolve them of all responsibility.
Comments (1)
What's this 'us' you refer to that has been brought back a step? Every message I've received about the post has been positive except for this post (no surprise there).
So just to get this straight, on the one hand we have practically the whole security industry agreeing with what was said, and on the other hand we have your company (targeted in the post as contributing toward the controversy).
I don't think you're included in any 'us' -- you're irrelevant. I have a book here, "Saving Face 101", if you'd like to borrow it. I think you guys could use a few pointers.
I didn't know you were all in on the phone conferences Tavis had with Microsoft to be so certain of your view. Your baseless disrespect for people much smarter than you won't get you far in this world.
I'm sure you feel you're right and every other major player in the industry is horribly confused. Can a company survive solely off a-thousand-monkeys-on-a-typewriter equivalent "reports" to the media? I guess we'll find out. Good luck surviving in an industry that thinks you're a joke.
Color me surprised if this makes it through moderation,
-Brad
Posted by Brad Spengler | June 18, 2010 8:22 PM
Posted on June 18, 2010 20:22