Chapter 30. “Responsible Disclosure” Isn’t Responsible
I was pretty amused recently when two people I respect went at each other over vulnerability disclosure, quickly devolving into name-calling. It’s always fun to watch a flame war (nobody got compared to Hitler, but one person did get compared to senile old Grandpa Simpson, walking around with his pants down).
But, to some degree, the two guys seemed to be talking past each other. One was arguing that full disclosure (meaning that vulnerabilities in other people’s software will be made public eventually, no matter what) puts end users at risk, and the other was arguing that finding and fixing bugs is an important part of keeping code secure.
I happen to agree with both of them. Yes, if we didn’t have good guys finding and fixing problems in code, there would be all the more problems for bad guys to find and leverage in their quest to take over the world. This is particularly the case because many development organizations don’t invest in fixing problems, since there aren’t good incentives (plus, there isn’t much of a talent pool for this kind of work).
But, most of the problems in software that bad guys leverage are problems that the good guys have found and publicized.
If we hold to these two arguments, it seems that we can either live in a world where we hide our security problems but are at risk from bad guys easily finding lots of them, or we can live in a world where the good guys hand the bad guys a roadmap for how to be bad ...
Get The Myths of Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.