What is right or wrong with full disclosure of a particular vulnerability, and where should information security professionals draw the line?
Interesting debate going on over at Dark Reading that deserves to have more people chime in on what are the issues with full responsible or irresponsible disclosure. At this point we have hit a stasis point where both are practiced with wild abandon, the track record of corporations filling security holes can be extraordinarily poor (like apple or oracle), or extraordinarily good (like the recent case with twitter filling a hole in their crossdomain.xml file in 90 minutes).
Andrew Jaquith, an analyst at The Yankee Group, agrees. “The debates about full versus responsible disclosure, proof-of-concept code, and attack/exploit frameworks are passionate. People argue their points of view with incredible conviction — but without any empirical evidence one way or the other,” Jaquith says. “What we need are metrics that show the effect — or not — of PoC/exploit code on customers. Is it helping them detect problems and fix them? Or does it increase their exposure to attack? The debate needs move from philosophizing to facts, and from dogma to data.” Source: Dark Reading
You can take their survey with a link off their page as well if you are interested in chiming in.
While tools like Metasploit, scanners, deep hacker tools, DIY virus and malware kits, as well as free information spread around the internet it is possible to work out exactly what is going on in the zero day world, it is also important that the idea of POC code be part of the argument. Many (and this has been true of my experience in information security) will not believe a vulnerability until they see it. The only way to grab someone’s attention then has to center on the idea of POC (Proof of Concept) code.
Even with POC code, it can still take some vendors over a year to fix a flaw that can reasonably compromise a computer. There is a certain level of frustration with all that, not just on the glory must get credit for the hack side of it, but knowing full well that software companies are putting people at risk. Just because one person discovered the issue, does not mean that others have not, and also does not mean that someone is not out there actively exploiting the flaw unbeknownst to trusting software users.
With all the things that happen in the exploit world, probably one of the most contentious is the idea of Zero day reporting, responsible disclosure and POC code. It sometimes boils down to the same dogmatic arguments that are often found at the Linux/Windows arguments on who is better. I agree with Rich Mogull on this one, time to move past the dogma and get some accurate numbers. The numbers about Linux adoption and open source adoption have made the analysis of who is winning or losing the OS war easier to support, time to do the same thing for full responsible and irresponsible disclosure.