Article: Vulnerability Disclosure - Where Do You Stand?
As requested by the article, some brief comments are noted below:
1. I disagree with public disclosure of vulnerability details and exploit code, favoring private sharing with the vendors only.
2. Projects like MOBB, MOKB, and MOAB clearly demonstrate no product is safe and vendors need to work focus even more on making their products more secure.
3. Some findings might have a small benefit as vendors may patch security hole more expediently. However, this small gain in security is usually far out-weighed by arming the bad guys with leading edge exploit code that can be used against an unprotected public.
4. Microsoft and all vendors desire zero defects in their software, although it's not humanly possible. Security patches for any vendor are prioritized based on risk factors. With public disclosure, the inventories of outstanding patches might grow, because vendors scramble to provide protection for the unpatched leading edge exposures.
5. Softare vendors may need to add more folks and priority for security issues. Still, I see public disclosure often focused on embarassing the vendor rather than helping the cause of security.
6. Maybe there's some "middle ground" where as privately shared security concerns are logged with an assigned number and tracked publicly on websites. Very sketchy details would be shared on the nature of the vulnerability so there's a reduction of impact to the public, yet there might also be improved accountability by vendors.
7. As a bottom line, leaking even proof-of-concept exploit code to the public is dangerous, as it can be crafted into phishing, spyware, or worm attacks by folks who wish to harm others. I may have to "agree to disagree" with some of the security experts on perceived benefits of this process.
Vulnerability Disclosure: The Good, the Bad and the Ugly
QUOTE: More than a decade into the practice of vulnerability disclosure, where do we stand? Are we more secure? Or less? If you see a glaring security hole in a sensitive application, what will you do? Will you notify the developer? The users? Other hackers?