Security threats Toolkit

Post a comment

Story: Do 'irresponsible' security researchers help or hinder?

I'm afraid my take on the whole disclosure uproar is that, while disclosure may increase my risk, lack of disclosure increases it more. The security flaw will exist whether it's disclosed or not, and the track record over the last 20 years quite frankly shows that the bad guys will find the flaws and exploit them whether they're disclosed or not. If the flaws are disclosed it speeds up the exploits, but at the same time it permits me to take action such as restricting access to the vulnerable points or even removing vulnerable services entirely until the problem's fixed. I can't take that kind of protective action unless I know there's a problem.

The vendors certainly don't like disclosure, it makes them look bad to have security flaws in their products announced to the world. I'm sorry, though, I rate the security of my own systems somewhat higher than the vendor's reputation. And to be honest, if the vendors actually addressed the problems in a timely fashion there wouldn't be an issue with disclosure. The current public disclosure is a reaction to vendors refusing to even acknowledge problems, let alone fix them, when vulnerabilities were reported only to them and not publicly disclosed. Public disclosure, even with it's short-term risks, seems to be the only way to get vendors to actually fix the problems as opposed to denying they exist and leaving everyone exposed and vulnerable. If the vendors don't like public disclosure, perhaps they should start treating security problems as problems that need fixed as soon as reported and not as PR issues that need to be spun or made invisible.

Full Talkback thread