On disclosure of information…

Recently the omnipresent discussion about the practice of full disclosure of details regarding (information) security vulnerabilities was freshly fueled. Google employee and researcher Tavis Ormandy published the details of a serious weakness in windows xp help center. You can read the details here.

To disclose or not to disclose…

Basically in the discussion about disclosure of information in computer security, there are two camps: those defending the full immediate disclosure of vulnerability information, opposed by those that plead the case for (partial) disclosure after the vendor has been properly informed about all details, giving said vendor time to take action.

Already in 2007 Bruce Schneier commented on the disclosure of vulnerability details. He makes the case for full disclosure. Some vendors are heard strongly advocating the practice of disclosure to the vendor only and putting the decision of public (non-) disclosure into their hands.

The good…

What are the benefits of full disclosure? First of all, informed people can take appropriate action if they deem it necessary. Informed people in this case are thus better protected than the ignorant masses. Furthermore vendors are motivated to do something about the issue that is now in the public, which can be an asset since it leads to a better product and hence happier customers. Thirdly, the bad guys know the flaw is in the clear, and that probably "the way in" through this discovered weakness will be dealt with shortly.

The benefits for vendor-only disclosure are that the vendor has time to come up with a solution before making the details of the flaw in their product public. The vendor can publicly admit "there is a flaw in produce so-and-so, and this is how you fix it". In their eyes that sounds a lot better than letting a third party disclose information about any flaws in their product.

The bad…

There is a downside to the full disclosure practice in that by informing the public you also inform the potential criminal that wants to abuse the flaw to get to whatever it is he is after. In computer crime, it mostly means getting your identity or banking details, and thus money … your money.

The downside for a vendor-only approach has to do with time frames. Between the moment of vendor awareness -i.e. the vendor receives the details of the flaw -, and the moment the vendor decides to inform the public, how much time is reasonable to expire? A week, a month, maybe a year even? Fact is that some flaws are sometimes left publicly undisclosed for years before ever being addressed with a solution.

The ugly …

Worst case scenario in the full disclosure practice is that the bad guys immediately start exploiting the flaw that was publicly announced, without the vendor having  a solution or band-aid ready to protect its customers. This could lead to serious image deterioration, causing customer dissatisfaction and perhaps even revenue (customer) loss. On the other hand, if you first inform the vendor allowing to come up with a fix, it could very well be that because of the above mentioned risk of image damage, or other reasons a fix will take time, above and beyond a reasonable time frame. The ugly side is, that in the vendor-only approach, the aforementioned risk is not mitigated or eliminated. It still exists, we all know obscurity in no way equals security –very much the opposite is true.

Take the bad with the good and go on…

In my humblest of opinions, the question of disclosure – how much, when and to whom – is a rather complex one to answer. First off, not all flaws or weaknesses are created equal. The criticality can play a part in deciding what to disclose. Secondly, you might be legally disallowed to publish certain info without the vendor's consent, i.e. there are perhaps matters of intellectual property or closed source systems are probably patent protected in such a way that disallows any third party to publish information related to the product. Thirdly, it might be that disclosing without consent is seen as an act causing damage to (the reputation of) a vendor, which could expose you to legal scrutiny.

However, in spirit of one of the basic ideas behind the internet – the free exchange of information – it would be a good idea to disclose as detailed as possible to the public the extend of any flaw or weakness in a system that is widely used. First of all, if you as a security professional are able to discover a weakness, rest assured there will be bad guys that are as smart as you (or even smarter). So the tactic of keeping it under the radar is not effective after all. Secondly, public disclosure allows for the public to investigate the problem and come up with a solution. The free exchange of information can work (and mostly does work) two-ways. Thirdly, there is the question of "reasonable" time frame. Suppose we first tell the vendor and wait for them to fix the problem and publish the details. There is no effective way to define what "reasonable" is regarding a waiting time frame, i.e. when a weakness is actively exploited the time for waiting has long past.

I do believe in informing the vendor of a product immediately of any flaws discovered and telling them where you are going to publish your discovery and what information you are going to share. Also, provide them with the most detailed report possible, so they can have a well informed effort to fix the problem. Work with them to get their consent to publish to the public immediately. The limit should be in the content not in the time frame in which you let the public know of a discovered problem. Perhaps you might even have found a work around or a partial/temporary fix for the problem at hand and the vendor could appreciate your efforts in helping them informing their customers. One might hope that vendors welcome the reports, as they are relatively cheap ways to improve existing products.

In conclusion: in matters of disclosure of flaw related information, there are matters of risk, economics, image and even ethics that each play their part. I truly believe in fully informing the public to the most far reaching extent possible, because the benefits of this action outweigh in most cases the disadvantages that come with disclosure. However, I do feel that is only fair that you inform the vendor first about one of their products which you discovered as wanting a fix. As with so many issues, the decision and extent of the disclosure shall be determined by the circumstances of the moment of discovery. There is no absolute right answer to this one.

I have always believed in open communications and honest, free exchange of info. It leads to understanding, and that in turn can lead to beautiful solutions.

Feel free to discuss. Stay Secure online!