11321

IT Management Daily
Storage Daily
Security Daily
 FREE NEWSLETTERS
search
 

follow us on Twitter


internet.commerce
Be a Commerce Partner

internet.com
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers


Related Articles
Admins to Microsoft: WMF?!
The Year in Vulnerabilities

Security Products
 Bulletproof Public PC (Pc-Safety)
 Outlook Duplicates Remover (Outlook Duplicates Remover)
 Power Registry Suit (GETVideoSoft)
 Secure Email (Secure Email)
 Password Genie (SecurityCoverage, Inc.)
 PC Cop (Maximum Software)
» Enterprise IT Planet » Security » Security Features

Ethical Disclosure

By Enterprise IT Planet Staff
January 20, 2006

Email Print Digg This Add to del.icio.us

Remember the recent WMF flaw? Part of what made the whole situation a stressful time for IT workers is that details about the vulnerability were disclosed online; keeping Microsoft, as they say, "out of the loop." To no one's surprise, a zero-day appeared.

It could have all been averted if only someone bothered to contact Microsoft and given them time to come up with a patch.

This week, we spotlight a thread that discusses how to responsibly alert vendors of security holes in their products, a process called ethical disclosure.

Wait! You didn't think you'd be sent on your way without some controversy.

You see, discussing ethics can become a quite a subjective matter, even when socially accepted norms appear clear-cut. What one considers ethical can seem downright immoral by another.

This AntiOnline tutorial touched off a heated debate about the ethics of vulnerability disclosure. Some would argue that immediate disclosure effects change at a brisker pace (WMF again) and encourages vendors to tighten up their development practices.

Others point to the complexity of software today, where yesterday's feature becomes today's liability. They would say that out of respect for users, and the community at large, vendors should be given a chance to make things right.

So, is it better to go through the proper channels or let the chips fall where they may? Ultimately, it is up to the individual to make that call.

One thing is certain, however. In a time when computers run practically everything, that decision can have far-reaching repercussions.

Note: Any opinions expressed below are solely those of the individual posters on the AntiOnline forums.

Spotlight Thread:
Ethical Disclosure

First, the tutorial by Soda_Popinsky that started it all.

When one comes across a vulnerability, they can do one of four things:

  • Full Disclosure
  • Ethical Disclosure to vendor/author
  • No Disclosure
  • 0-Day Exploitation of vulnerability

This is the process I use for disclosure of vulnerability, and it's pretty simple. I believe that the first party to receive technical information about a vulnerability should be the vendor/author or service responsible for creating the vulnerability...

Newcomer MS_Security believes in a different approach.

I would say the opposite is true, and in a free market environment, this type of disclosure does more harm than good. It protects vendors and encourages them to create the idea that people who do no not help protect sloppy vendors are some how unethical.

Perhaps a middle-of-the-road approach? HTRegz suggests...

I think that as long as you don't give the details that you're being responsible. Prime example: a problem with a certain chipset of wireless card looking for randomly named APs. And it's the driver that causes it to do this.

This was just reported. However the name of the chipset and the name of the APs were not released. However the vendor was also contacted specifically. It is Full Disclosure, but it's done responsibly.

Where do you stand? Voice your opinions here.

Email Print Digg This Add to del.icio.us

Security Features Archives