Debate around 'partial disclosure' heats up

There are many ways of telling the world about a security vulnerability. A vulnerability can be announced without telling the vendor, it can be announced after giving the vendor a period of time to fix the issue, or it may just be circulated amongst the underground without ever coming to the surface. Over the past several months, security researchers have started experimenting with a new vulnerability disclosure model, known as "Partial Disclosure", whose effectiveness and implications have yet to be resolved. The proper way of information the public about security vulnerabilities has been a topic of debate since before the birth of the information security field. Advocated of what is known as "Full Disclosure" believe that the bad guys will know about software vulnerabilities before the good guys do, and as such advocate that any and all vulnerabilities discovered be brought to light as soon as possible. "Responsible Dislcosure" supporters attempt to give software vendors an opportunity to repair their products by announcing the vulnerability to the vendor a period of time before going public, thus allowing the developers to create patches for the problem.

A hybrid model, known as "Partial Disclosure", has been gaining attention in the industry. Under partial disclosure, researchers announce the existence of an issue without providing any details in order to coax a coordinated response out of several vendors simultaneously. The disclosure technique was used quite successfully this summer by Dan Kaminsky for the repair of his brand of DNS cache poisoning attacks. Robert E. Lee and Jack C. Louis are using the same disclosure technique to try to repair a DoS issue in the TCP stack. The researchers have been quite circumspect with providing details of their attack, which may or may not have anything to do with saturating a receiver with full-open sockets.

On the surface, partial disclosure looks great. Vendors are provided more time to fix vulnerabilities and can act in a coordinated fashion, and researchers and their employers receive the public attention they require to maintain the appearance of industry thought leadership. The story behind the scenes is a bit more brutal. Only the top researchers have the political capital required to engage in partial disclosure. Those who do engage in partial disclosure face harassment from their peers, who believe that the severity of the vulnerability they are keeping wraps is exaggerated. Anyone without this reputation is left to do more traditional disclosure.

Our community is still exploring the best ways of conveying bad news to a large group of people. For situations where cooperation is required across multiple vendors for fundamental problems, partial disclosure may be the best tool we have at the moment.