More debate over vulnerability disclosure Dec2005

Basically, I just wanted to link to this article since if you have anything to do with the tech industry, and in particular security, you ought to read it. The arguments about the disclosure of vulnerabilities seems to be gurgling just below the consciousness of people who care about this sort of thing.

On one hand, security researches need to play ball with the vendors. If Joe Hacker (hi joe!) finds a hole in Product X, then I firmly believe that Joe has a duty to report this to the vendor first. The hole may or may not be known in the underground and the bad guys may or may not be using it. BUT, the vendor has a duty to also act quickly to patch this and make it known to their customers. If Joe Hacker (hi again!) can find this hole, then so can Evil Mallory (boo!) and nobody wants to be pwnd by Mallory.

So what's the solution? The vendors need to not screw over the researchers. AND, the researchers need to understand that moving a giant company and all it's patching processes is a mammoth undertaking. Having said that, I firmly believe that if the organization takes longer than 90-120 days to get something patched, then their processes are broken... which explains why Product X had a hole in the first place.

Anyways, read this blog post. It's worth it.

These thoughts are my own, unless they're yours. And if they're yours, we may have metaphysical problems beyond simple concept ownership and should probably talk soon.