Security threats Toolkit
Story: Do 'irresponsible' security researchers help or hinder?
Posted by: Arthur B. (Wednesday 26 January 2005, 10:03 PM)
In my view it's OK to give the vendors some time to come up with a solution or at least a workaround because, at least in theory, the vendor should be able to give the best solution. Say 20 working days (4 weeks) but no more. After that the flaw, also the already fixed and falsely reported ones, should be made public for the following reasons:
- it allows others to help find a cure or workaround
- it puts pressure on the vendors to at least provide a workaround if they can't meet the deadline (rather then just postponing it until they can finally fix the flaw completely)
- it puts pressure on the flaw finders to only report solid cases or otherwise risk getting named and shamed (vice versa, a vendor that resorts to name calling or flat out denial will undergo the same)
- it puts pressure on the vendors to sell only "responsible" software or otherwise suffer the consequences
- making flaws public under strict rules will make it more difficult for vendors to allow themselves to be guided by other motivations (commercial, PR, etc)
- making flaws public under strict rules will allow for some sort of quality measurement
One exception. Should an exploit of the flaw be found 'in the wild' then the flaw should be made public at once. Because then the pressure is on to find a fix or workaround with as much resources as possible.
Another thing. I don't think that anyone would expect perfect software since that doesn't exist. Flaws will always be part of our lifes because otherwise we wouldn't need so many insurance companies to name just one example. But history has shown us that the most dangerous flaws are still the ones we're not aware of. That's why there must be pressure on the vendors to fix flaws in a timely manner. Which will also help the vendors to ensure that they're prepared to deal with flaws in a timely manner (why allocate time, money and resources to fix flaws in a timely manner if you can find a way to deal with flaws when you want to?).
Full Talkback thread
Story: Do 'irresponsible' security researchers help or hinder?
-
I'm afraid my take on the whole disclosure uproar... Todd Knarr -
In my view it's OK to give the vendors some t... Arthur B. -
Here are a few key points:
1st: The guys who write... Michael
-
Mitsubishi Motors in Japan hid critical informatio... Anonymous
-
Let's face the issue head on! When a company knows... Anonymous
Back to: Do 'irresponsible' security researchers help or hinder?
