Security Researchers and Public Disclosure - Pros and Cons
Recently, a security researcher and vendor could not reach agreement privately on a new security weakness. Unfortunately, Proof of Concept (POC) exploit code was later published by the researcher, which led to harmful zero day attacks being circulated in-the-wild within a few days.
Fortunately, the area of vulnerability is invoked rarely by users and exploits are not in wide circulation. Anti-virus protection and other workarounds are helpful in mitigating this risk, until the issue is patched.
In reflecting on this incident, it's difficult to see the value in forcing vendors to patch their products within a specific timeline. Individuals who care about security should never give vendors an ultimatum or else the POC code will be published to the underground.
Some Limited Benefits of Public Disclosure
* There are a few cases, where vendors have known about issues for years. However, they go unpatched because the issues are minor or very difficult to exploit. Some security researchers believe that public disclosure is the only leverage they have to accomplish improved security.
* Public disclosure will bring immediate pressures to vendor to patch a serious issue. Some security researchers are also tuned into the underground and may point out valuable emerging developments. When the vendor does not respond, they feel a need to illustrate the importance with POC code.
* I believe H. D. Moore and Aviv Raff's "Month of Bugs" projects were beneficial in improving security. For example, they picked a topic like browsers and demonstrated why almost all vendors had weaknesses. Most items were minor in nature. Their daily bug publications prompted all vendors to commit more money and focus to security. This type of "wakeup" call led to a better security focus by most vendors.
Disadvantages of Public Disclosure
Yet for the most part, the negatives outweigh positives for public disclosure, as follows:
* Zero Day attacks may be introduced resulting in emergency workarounds and patches by the vendor and anti-virus providers
* Malicious developers can take POCs and ramp them up a few notches. They may discover possibly something even more harmful.
* Some folks don't patch promptly or defend their systems well with up-to-date Anti-virus protection. Even after a vendor has patched, innocent users are still vulnerable for attacks that may have not been implemented in the wild, if the POCs were kept private.
* Vendors only have a certain number of qualified people in working on security patches. Public disclosure and the resulting exploits force them to patch or create workarounds immediately. It may delay them for the work in process in patching more mainstream attacks.
* Sixty or ninety days may not be enough time to work in changes, given work in process and the need for a quality release for the different permutations of hardware/software.
If the security researcher has shared privately and exploits emerge because of a slow response by the vendor, they have done their job. It's the vendor's fault if they fail to respond in a timely fashion. The researcher can even document they privately shared an issue in a generic way, to keep it private from malicious authors who may harm others with attacks.
Certainly, security researchers want to enhance their reputations, income, and careers. I believe many have an altruistic mission in wanting to protect the public. Many are highly talented professionals and provide valuable protective contributions for society. I encourage them to put their talents to work for the good of society through private responsible disclosure.