Network Computingwww.networkcomputing.com

	Issue TOC Print full article Print this page Download as PDF E-Mail this URL Discuss this article Flame the author     In this article Introduction Give 'Em an Inch ... Control the Things You Can Resources Full Disclosure Works Reduce the Danger

Full disclosure--publicly disclosing the details of vulnerabilities--has long been the subject of heated debate in the security community and remains a double-edged sword.

On the one hand, full disclosure holds a vendor's feet to the fire so it will fix vulnerabilities quickly. The whole movement to full disclosure was in direct response to vendors ignoring security problems, and 62 percent of readers polled for this article say vendors wouldn't fix problems if they weren't exposed. Publishing vulnerabilities with working source code or step-by-step instructions proves that a vulnerability exists and forces vendors to acknowledge the problem while allowing software users to check their systems for holes. Of course, these codes and instructions also land in the hands of any script-kid who can work a browser.

The question is: Does the benefit of full disclosure outweigh the value of nondisclosure or limited disclosure? A move to nondisclosure--for example, making disclosure a criminal offense--would take us back to the bad old days before Bugtraq was started. The underground would have all the tools, and vendors would keep problems quiet. Cynical? No, just realistic. Vendors aren't inherently evil, but they aren't going to spend money where they don't need to, and fixing vulnerabilities costs money. Perhaps the Environmental Protection Agency has the right idea: Companies are forced to properly handle hazardous materials from cradle to grave or face expensive fines, the cost of clean-up and possible criminal prosecution brought about by Superfund legislation.

Partial disclosure sounds feasible. Announce the vulnerability, but don't give out details. Although that initially keeps exploit code out of the hands of script-kiddies, any programmer can use the information in partial disclosure to shorten the development time of a working exploit. That isn't much better. The side effect is that you have to rely on the vendor that created the vulnerability to fix it, and you can't check that the fix worked. And let's not forget that leakage happens.

Ninety-six percent of those polled say full disclosure serves as a check and balance to vendors, which otherwise wouldn't fess up to security vulnerabilities. The famous tagline used by L0pht Heavy Industries, now @Stake, "Making the theoretical practical since 1992," was in direct response to Microsoft, which had stated that a vulnerability was highly theoretical. Now, that doesn't mean vendors should be surprised by vulnerabilities announced on public lists. Many researchers notify vendors about security problems and work with them until a solution is found, and many vendors have programs in place to support vulnerability reporting. As long as researchers and vendors work together, the Internet community is served. Full disclosure works.