To disclose or not to disclose

Is full disclosure a way to inform security managers or does it do the opposite by arming attackers with otherwise concealed information about flaws in a software? The debate rages as CERT announces disclosure plans.
Written by David Raikow, Contributor

On Oct. 3, the cert coordination center, a branch of the Software Engineering Institute at Carnegie Mellon University, announced that it would begin regularly issuing detailed reports describing security vulnerabilities in existing software. Under that new policy, CERT will give software vendors a 45-day "grace period" after learning of a bug to investigate the problem and develop patches or workarounds. After 45 days, CERT will release its report, whether a fix is available or not.

That may seem like a minor and innocuous announcement. But it has the potential to significantly change the way security managers do their jobs.

The question of vulnerability disclosure is one of the most hotly debated topics in the network-security community, often arousing the type of emotional response normally reserved for abortion or gun control. Many, particularly among open-source enthusiasts, argue that users and administrators have a right to information about the software running on their machines. It follows that security problems should, therefore, be publicized as widely and in as much detail as possible—including source code demonstrating how to exploit them. Forewarned is, after all, forearmed.

Network Flight Recorder CEO Marcus Ranum, among others, argues that "full disclosure" amounts to arming criminals. While only a tiny percentage of the general public watches for announcements of new security bugs, would-be attackers do so on a regular basis. Moreover, a bare minority of those at tackers possess the skills to find vulnerabilities on their own. As a result, many of the problems bug spotters highlight become a real threat because of those warnings. "Full disclosure is creating armies and armies of script kiddies," according to Ranum.

The truth, of course, is somewhere in the middle. Few administrators take advantage of the information available in security warnings, while the vast bulk of attackers rely on them. Full disclosure is responsible, to some degree, for the huge numbers of unskilled "script kiddies" that plague Net security managers.

It also is true, however, that that kind of information has a way of getting out to the "bad guys" whether or not a formal announcement is made. Meanwhile, the fact is the threat of widespread disclosure is the only thing that gets most security bugs fixed. I've never found a vendor that wouldn't deny, ignore or mischaracterize a security problem if it could. Bug fixes have no profit margin—the threat of a PR disaster is all that keeps vendors honest.

As one of the few widely trusted and respected players in the security field, CERT now has the opportunity to become a kind of central clearinghouse for vulnerability information, while shaping the standards for responsible disclosure in ways existing mailing lists cannot. The end result could make it a lot easier for the good guys to stay on their toes. Listen to the debate for yourself at www.securityfocus.com/info.sec.radio.

David Raikow is technology editor of Sm@rt Partner. He can be reached at david_raikow@ziffdavis.com.

Coming Oct. 23: "The xSP File" appears here on a rotating basis. It provides how-to information for ASPs, ISPs and emerging service providers.

Editorial standards