Responsible disclosure, or headline grabbing?

Recently, I let Cisco have it for using the responsible disclosure argument for something that had actually been known and supposedly (security advisory keeps changing) fixed for months.  I've touched on the topic of responsible disclosure before and firmly believe that a reasonable amount of time must be given to the vendors and the public to create, test, and apply the patch before any disclosure is done.

Recently, I let Cisco have it for using the responsible disclosure argument for something that had actually been known and supposedly (security advisory keeps changing) fixed for months.  I've touched on the topic of responsible disclosure before and firmly believe that a reasonable amount of time must be given to the vendors and the public to create, test, and apply the patch before any disclosure is done.

Yesterday, EWeek reported and linked to a company site that released exploit code for running a denial of service attack against the Windows XP RDP service one day after Microsoft released the official patch for the RDP DoS vulnerability.  You could say that at least they gave Microsoft the vendor enough time to test and release a patch, but what about the public?  Are they not entitled to a little breathing room to apply the patch?  Wouldn't it have been a bit more responsible to give the public 2 weeks to test and deploy the patch before they release the exploit code that any script kiddy can use?  As it stands now, you have until yesterday to apply your Microsoft patches.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All