Opening A Different Can Of Worms

The slew of bot worms unleashed last week exploiting the Windows 2000 Plug and Play vulnerability opened up a can of worms of a different sort that has been simmering in security circles since late July.

For vendors, solution providers and security researchers, the debate over whether and how to disclose vulnerabilities in a vendor’s products is heating up to the point that policy changes may be coming. Traditionally, security researchers go to the vendor first to give the company time to patch a vulnerability before making it public. But not all researchers.

That’s why 3Com’s TippingPoint division recently launched a program to pay researchers to come to them with vulnerabilities instead of going public. If TippingPoint’s move heated the debate, Cisco raised it to the boiling point when the vendor stopped a discussion of a vulnerability in its Internetwork Operating System at the Black Hat conference in Las Vegas late last month.

While conspiracy theorists and reasonable people alike derided Cisco’s actions to thwart discussion of the IOS vulnerability, Microsoft, too, was chided for its vulnerability, despite the fact that it disclosed it and issued a patch.Granted, Cisco went to great extremes to prevent discussion of the IOS vulnerability—from hiring a team of temp workers to rip materials from conference proceedings to getting a court order to stop further discussion. Cisco contends its actions were based on the principle that you shouln’t disclose a vulnerability until the vendor is comfortable that it can avert any attacks. And maybe its actions were the right thing to do, but they were dramatic nonetheless.

Microsoft, on the other hand, disclosed its vulnerability during its monthly “super Tuesday” security updates. And despite warnings from security experts to “patch now,” more than 175 companies were hit by worms exploiting the vulnerability just one week later. In the post-outbreak discussions, many blamed Microsoft for exposing the vulnerability in the first place.Is it ethical for vendors to pay researchers to come to them first? Maybe, maybe not. Is it wrong for a vendor to hide that information from the public? Absolutely. While it may be time to discuss how vulnerabilities are disclosed, there should be no discussion at all about whether they should be disclosed.

CRN Industry Editor Larry Hooper can be reached at [email protected]. CRN Editor in Chief Michael Vizard is on vacation.