Full Disclosure mailing list archives
Re: "responsible disclosure" explanation (an example of the fallacy of idealistic thought)
From: robert () dyadsecurity com
Date: Tue, 9 Aug 2005 00:22:29 -0700
Matthew Murphy(mattmurphy () kc rr com)@Tue, Aug 09, 2005 at 01:42:36AM -0500:
In this scenario, much as a software vulnerability, two factors are consistent. The threat (the malicious individual seeking to move things illegally or harm life or property) is fixed, as is the vulnerability (the weakness that allows that individual access). The only component of the puzzle that is not static is the actual risk of the threat becoming reality (exploitation of the vulnerability).
This arguement is old and neither side can be substantiated to the point of swaying opinion. That said, it is really arrogant to assume that the 1st security researcher to share the information publicly was the 1st person (or only person) to find the problem. We (at dyad) find multiple "0day" problems in software every week. We don't share any of them with the community at large, partly because of ingrateful people like you, and partly because it doesn't provide any real value anyway. I know we're not the only researchers to feel this way. Just know that for every advisory that comes out, there are likely 100-1000x more problems being discovered, harvested, and used for noble and malicious purposes. On the internet, information flow isn't contained. The people who create the software are not the only people who find the problems, therefore they can not be the only source for information exchange, and indeed may not be the most appropriate source for vulnerability information.
The point you miss is that by withholding vulnerability details, I guarantee nothing, other than that those details are less widely known. I agree that patch processes should be more expeditious, but the solution to that dilemma is not to force companies to sacrifice quality by creating an imminent risk that did not otherwise exist.
The imminent risk is caused by the vulnerability existing in the software being discovered, not by having the advisory with good details publicly shared. Having the details shared helps the end users know their risks. With tools like unicornscan (http://www.unicornscan.org) becoming more widely deployed, as soon as an 0day is discovered, it's a simple matter to hit every publicly available IP on the internet in under 24 hours. There is imminent risk as soon as the 1st malicious person finds the bug. Robert -- Robert E. Lee CEO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- "responsible disclosure" explanation Georgi Guninski (Aug 05)
- Re: "responsible disclosure" explanation Florian Weimer (Aug 08)
- Re: "responsible disclosure" explanation Georgi Guninski (Aug 08)
- Re: "responsible disclosure" explanation Jason Coombs (Aug 08)
- Re: "responsible disclosure" explanation Jason Coombs (Aug 08)
- Re: "responsible disclosure" explanation (an example of the fallacy of idealistic thought) Matthew Murphy (Aug 08)
- Re: "responsible disclosure" explanation (an example of the fallacy of idealistic thought) robert (Aug 09)
- Re: "responsible disclosure" explanation (an example of the fallacy of idealistic thought) Florian Weimer (Aug 11)
- Re: "responsible disclosure" explanation Georgi Guninski (Aug 08)
- Re: "responsible disclosure" explanation Florian Weimer (Aug 08)
- <Possible follow-ups>
- Re: Re: "responsible disclosure" explanation Daniel H. Renner (Aug 09)