Linux Today: Linux News On Internet Time.

Rebooting Responsible Disclosure: a focus on protecting end users

Jul 22, 2010, 04:36 (0 Talkback[s])

"Vulnerability disclosure policies have become a hot topic in recent years. Security researchers generally practice "responsible disclosure", which involves privately notifying affected software vendors of vulnerabilities. The vendors then typically address the vulnerability at some later date, and the researcher reveals full details publicly at or after this time.

"A competing philosophy, "full disclosure", involves the researcher making full details of a vulnerability available to everybody simultaneously, giving no preferential treatment to any single party.

"The argument for responsible disclosure goes briefly thus: by giving the vendor the chance to patch the vulnerability before details are public, end users of the affected software are not put at undue risk, and are safer. Conversely, the argument for full disclosure proceeds: because a given bug may be under active exploitation, full disclosure enables immediate preventative action, and pressures vendors for fast fixes. Speedy fixes, in turn, make users safer by reducing the number of vulnerabilities available to attackers at any given time."

Complete Story

Related Stories: