Why full disclosure is an important tool

Why full disclosure is an important tool

Summary: Guest editorial by Danny QuistThis latest Adobe vulnerability has created a stir on some of the closed mailing lists regarding full disclosure. While I would have liked to think that this debate was over a long time ago, I now realize that everyone has disagreed to disagree.

SHARE:

Guest editorial by Danny Quist

This latest Adobe vulnerability has created a stir on some of the closed mailing lists regarding full disclosure. While I would have liked to think that this debate was over a long time ago, I now realize that everyone has disagreed to disagree.

On one side we have the people that are doing remarkable work by researching these flaws, disclosing them with appropriate warning to the vendors, and letting the public know about the problems. On the other side of the argument are the limited disclosure people.

[ SEE: Adobe swings and misses as PDF abuse worsens ]

The advocates of limited disclosure are excellent researchers who I know and respect. It floors me to think that it is acceptable for vulnerabilities to be left unpatched for a serious amount of time. I consider 90 days to be entirely too long to patch a vulnerability. The fact that Adobe said that a patch would be issued 18 days after the public disclosure is highly irresponsible.

[ SEE: Critical Adobe Flash Player patch coming ]

You can disagree with full disclosure, but it is a useful motivational tool. Microsoft responded well to their problems. They created a security development process that is unparalleled in the world. Adobe, it's time for you to step up as well. Limited or closed disclosure creates complacency, which amounts to willful neglect.

I wish there was some other way than full disclosure to motivate vendors. Unfortunately it is the only method available that has a proven track record of working.

* Danny Quist is the CEO and co-founder of Offensive Computing.

Topics: Enterprise Software, CXO, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • offensive is definitely what it is

    I don't know what Adobe's problem is, but it
    seems sure they have one.

    More self-promoting by self-aggrandizing
    'researchers' is definitely no answer at all.

    You have the practical demonstration right in
    front of you, in what you complain about - the
    18 days.

    And as far as the rest, full disclosure is a
    completely destructive act. No posture will
    improve it.

    Narr Vi


    Narr vi
  • RE: Why full disclosure is an important tool

    Advocates of limited disclosure tend to conveniently forget that in the past some companies have sat on known vulnerabilities for YEARS before fixing them.

    As the article says, full disclosure has been historically proven to be the only way of forcing most companies to fix security failings in a timely manner.

    There are various arguments about full disclosure vs limited disclosure, but I'll note that people who have attempted to get companies to fix things before full disclosure occurs have sometimes been stalled for months before fixes are issued.

    Full disclosure wouldn't be needed if programmers weren't so sloppy. The fact is, they are and no amount of screaming about disclosing security vulnerabilities will change that.

    For what it's worth, I've seen a number of full disclosures which explained how various hackers I'd been tracing were able to break into systems. In all cases they had been exploiting vulnerabilities well _BEFORE_ the announcement and usually well before the date the researcher claimed to have found the hole.

    Uncle Stoat
  • RE: Why full disclosure is an important tool

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut