Rebooting Responsible Disclosure: a focus on protecting end users

"Vulnerability disclosure policies have become a hot topic in recent years. Security researchers generally practice "responsible disclosure", which involves privately notifying affected software vendors of vulnerabilities. The vendors then typically address the vulnerability at some later date, and the researcher reveals full details publicly at or after this time.

"A competing philosophy, "full disclosure", involves the researcher making full details of a vulnerability available to everybody simultaneously, giving no preferential treatment to any single party.

"The argument for responsible disclosure goes briefly thus: by giving the vendor the chance to patch the vulnerability before details are public, end users of the affected software are not put at undue risk, and are safer. Conversely, the argument for full disclosure proceeds: because a given bug may be under active exploitation, full disclosure enables immediate preventative action, and pressures vendors for fast fixes. Speedy fixes, in turn, make users safer by reducing the number of vulnerabilities available to attackers at any given time."

Complete Story

Related Stories:

• Ejection Seats, Cooking Dinner, and Vuln Disclosure(Apr 12, 2010)
• Don't Be Evil Means Don't Be Evil(Oct 12, 2009)
• Editor's Note: Proprietary Ideology: Doing the Same Thing and Expecting Different Results(Mar 07, 2009)
• Cyber Threats Accelerate and Browser Vulnerabilities Proliferate(Jul 30, 2008)
• When Disclosure is Better than Disaster(Oct 23, 2007)