Security researchers should make an effort to practice "responsible disclosure," according to Mozilla's security chief, Window Snyder. Her comments were made at a panel discussion during the ShmooCon hacker conference in Washington last week. "The researcher has all the power. They control when they disclose it, and they control the idea whether or not the vendor responds in time," she said during the panel, according to News.com.
"Responsible disclosure" would mean that bug hunters and researchers would give vendors time to fix security holes before making them known to the public. The argument often presented by software vendors is that disclosing a bug to the public, sometimes alongside a proof of concept exploit, opens up doors for major security concerns until the bugs are fixed. "I appreciate the work that's going on and I appreciate a little heads up before the whole world finds out," Snyder said at the panel. "I would appreciate 30 days, but I will take what I can get."
However, not everyone agrees that "responsible disclosure" is, in fact, responsible. In a debate that's been going on for decades, some security researchers feel that vendors have a tendency to put complicated bugs on the back burner unless they are made public, forcing them to address the problem. Veracode founder Chris Wysopal took that stance at the panel, saying that while "the responsible thing" would be to send security flaws to the vendor first, "you get stuck with the vendor not doing anything about it if there isn't the threat that it will be publicly disclosed. Public disclosure is the only way to actually get things fixed."
Researchers also sometimes feel that vendors don't give enough (or any, in some cases) credit to those who have found the bugs. Ultimately, many security researchers feel that following the more secretive process that vendors demand makes it easier for those companies to downplay their own security holes. "Responsible disclosure is a marketing term," said Immunity's Dave Aitel during the panel discussion. He argued that responsible disclosure hands full control of the security and bug process back to the hands of big vendors.
However, Snyder seemed to acknowledge that vendors could be doing a better job of interacting with security researchers. "Vendors have a real responsibility to respond to what's reported to them," she said.
reader comments