aaron posted in Uncategorized on September 12th, 2009
If you’re around Boston this Thursday night, definitely check this interesting presentation from Zach at the Boston NAISG (National Information Security Group) on “Disclosure Samsara” or “The Endless Responsible Vulnerability Disclosure Debate”. This is the official meeting page, and details for the time/location/RSVP can be found there. It will be held at the Microsoft building in Waltham, and chances are there will be some type of MRL caravan, so let us know if you’ll be heading out.
Here’s the full synopsis on the talk:
Vulnerability disclosure can help make software and hardware vendors and service providers accountable for shortcomings in their offerings; and full disclosure can give IT and information security professionals the information they need to validate the resilience and efficacy of their controls. Generally speaking, a happy balance is achieved when vulnerabilities are disclosed in a responsible manner. But what is “responsible?”
It’s been nearly a decade since the introduction of RFPolicy, a document often considered to be the basis for modern, responsible vulnerability disclosure, yet there still remains a significant division between the camps of “full disclosure,” “partial disclosure,” and “zero disclosure.” The “responsible disclosure” debate seems to be an endless cycle, coming back fully reconstituted just when we think it’s run dry.
Lawsuits, gag orders, and boatloads of drama are some of the negative points researchers have dealt with when disclosing a bug or flaw to a vendor. This type of reaction can be very discouraging for a security researcher, possibly resulting in them avoiding communication with the vendor in favor of disclosing it outright or even selling the details to the highest bidder.
With continued, accelerated awareness and discussion, the information security community can work toward solidifying an approach to responsible disclosure that, amongst other things:
* Facilitates interaction between the researcher and vendor or service provider
* Acknowledges the researcher’s work
* Provides adequate protection for the security researcher
* Builds a reasonable timeline and plan for a solution to the bug or flaw and its public disclosure (and keeps parties from stalling)
Zach Lanier is a New England-area security consultant and occasional security researcher. His areas of focus are network and application penetration testing, intrusion analysis, and general hackery. He’s the maintainer of the Security Twits list and one of the co-founders of Midnight Research Labs Boston, a local hackerspace.