Ethical DisclosureBy Enterprise IT Planet Staff
January 20, 2006
Remember the recent WMF flaw? Part of what made the whole situation a stressful time for IT workers is that details about the vulnerability were disclosed online; keeping Microsoft, as they say, "out of the loop." To no one's surprise, a zero-day appeared.
This week, we spotlight a thread that discusses how to responsibly alert vendors of security holes in their products, a process called ethical disclosure.
Wait! You didn't think you'd be sent on your way without some controversy.
You see, discussing ethics can become a quite a subjective matter, even when socially accepted norms appear clear-cut. What one considers ethical can seem downright immoral by another.
This AntiOnline tutorial touched off a heated debate about the ethics of vulnerability disclosure. Some would argue that immediate disclosure effects change at a brisker pace (WMF again) and encourages vendors to tighten up their development practices.
Others point to the complexity of software today, where yesterday's feature becomes today's liability. They would say that out of respect for users, and the community at large, vendors should be given a chance to make things right.
So, is it better to go through the proper channels or let the chips fall where they may? Ultimately, it is up to the individual to make that call.
One thing is certain, however. In a time when computers run practically everything, that decision can have far-reaching repercussions.
Note: Any opinions expressed below are solely those of the individual posters on the AntiOnline forums.
First, the tutorial by Soda_Popinsky that started it all.
Newcomer MS_Security believes in a different approach.
Perhaps a middle-of-the-road approach? HTRegz suggests...
Where do you stand? Voice your opinions here.