“Vulnerability disclosure policies have become a hot topic in
recent years. Security researchers generally practice “responsible
disclosure”, which involves privately notifying affected software
vendors of vulnerabilities. The vendors then typically address the
vulnerability at some later date, and the researcher reveals full
details publicly at or after this time.“A competing philosophy, “full disclosure”, involves the
researcher making full details of a vulnerability available to
everybody simultaneously, giving no preferential treatment to any
single party.“The argument for responsible disclosure goes briefly thus: by
giving the vendor the chance to patch the vulnerability before
details are public, end users of the affected software are not put
at undue risk, and are safer. Conversely, the argument for full
disclosure proceeds: because a given bug may be under active
exploitation, full disclosure enables immediate preventative
action, and pressures vendors for fast fixes. Speedy fixes, in
turn, make users safer by reducing the number of vulnerabilities
available to attackers at any given time.”
Rebooting Responsible Disclosure: a focus on protecting end users
By
Get the Free Newsletter!
Subscribe to Developer Insider for top news, trends, & analysis