http://msmvps.com/blogs/castlecops/archive/tags/Disclosure/default.aspxTags: DisclosureenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/castlecops/archive/2005/04/27/44737.aspxWed, 27 Apr 2005 05:44:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:44737paul0http://msmvps.com/blogs/castlecops/rsscomments.aspx?PostID=44737http://msmvps.com/blogs/castlecops/archive/2005/04/27/44737.aspx#comments<P>Just a month ago now, <A href=http://www.computerworld.com/printthis/2005/0,4814,100637,00.html>legal threats</A> by Sybase directed at NGS Software were used to&nbsp;cease the full disclosure of eight holes in its product.&nbsp; NGS Software disclosed their findings to Sybase and advised them its public disclosure would occur three months after that.&nbsp; Sybase didn't like that, but it all worked out in the end after they reached a settlement.&nbsp; Could it be that Sybase didn't have enough time to warn their customers about the upgrade?</P> <P> <BLOCKQUOTE> <HR> Responsible disclosure of software flaws by vulnerability researchers has "significantly improved" the security of products, Powers said. <HR> </BLOCKQUOTE> <P></P> <P>I concur.&nbsp; </P> <P>So what is responsible disclosure?&nbsp; Talk to the security mailing lists and there is a difference of opinion.&nbsp; Even Wikipedia references &#8220;full disclosure&#8221; as <A href=http://en.wikipedia.org/wiki/Full_disclosure>controversial</A>.&nbsp; I'd like to see the world take on the stance of &#8220;responsible disclosure&#8221;:</P> <P> <BLOCKQUOTE> <HR> Some believe that in the absence of any public <A title="Exploit (computer science)" href="http://en.wikipedia.org/wiki/Exploit_%28computer_science%29">exploits</A> for the problem, <I>full and public disclosure</I> should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. This philosophy is sometimes called "<A class=new title="Responsible disclosure" href="http://en.wikipedia.org/w/index.php?title=Responsible_disclosure&amp;action=edit">responsible disclosure</A>". <HR> </BLOCKQUOTE> <P></P> <P>I'd like to take that a step further, and break it down:</P> <OL> <LI>Report the vulnerability to the vendor with a suggested patch, <LI>Obtain a response from the vendor and establish a patch release and public disclosure timeline in that order, <LI>Vendor releases tested patch, <LI>Full public disclosure is made with credits.</LI></OL> <P>If the vendor does not respond, make a couple more attempts and then release the disclosure.&nbsp; Mark it as &#8220;vendor MIA&#8221; or similar.&nbsp; Note, the suggested patch is still included in the release.</P> <P>If a suggested patch is unavailable, find someone who can help you.&nbsp; If you cannot produce any of the above, list that in your disclosure timeline.&nbsp; Show proof you have been responsible in trying to contact the vendor and/or produce a patch.&nbsp; If the above fails, and there is nothing left except for the vulnerability report, then by all means have at it.&nbsp; Release the report and let the chips fall where they may.&nbsp; At least you've shown due diligence.</P> <P>Timeframe?&nbsp; Is three months too long?&nbsp; Is eight hours too short?&nbsp; Personally, I've always kept mine to below a month.&nbsp; The idea is to get a patch out there quickly.&nbsp; The less holes available for poking, the better.</P><div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=44737" width="1" height="1">Disclosure