Listening to a podcast on the way home from work, the topic of responsible disclosure again came up. I can't tell you how much I absolutely tire of hearing this topic discussed. The thing that really irritated, no not irritated, pissed me off though about this is that one of the individuals was stating something along the lines of there is no responsible disclosure and that Full Disclosure is the way to go.
Here is my issue with this. There is already a thin line that separates the security professional from the individuals we as professionals strive to protect our employers from.
Black hat, white hat, gray hat..gimme a break already
If you're a black hat, it is obvious of your stance on vulnerability[?] disclosure; you only care about making a name for yourself regardless of the consequences of releasing details and exploit code to show the existence of the vulnerability and how to leverage the vulnerability to gain access to systems to which those black hats, script kiddies or foreign nations do not have the authorization to access.
If you're a white hat, you follow the proper moral and ethical path and properly notify the vendor before releasing the details to the general public. Your concern is with protecting your employer, customers or the national infrastructure. I applaud you...
If you're a gray hat, you need to just realize you are no better than the black hats only out to make a name for yourself because you're confused or just feel you're better than everyone else..seek professional help...
As sexy and “cool” as Full Disclosure may be to some people, how does it help the community? How does releasing the details and exploit code for a vulnerability assist the vendor is developing and testing a proper fix? How does Full Disclosure protect our employers, our customers or our national infrastructure?
Here are the answers, it doesn't take a freakin rocket science to figure this out. Releasing details for an exploit or releasing code before properly notifying the vendor and allowing for the development of a fix forces the vendor to push out a crap fix just to address the specific flaw that someone released to the world. Of course in doing this, you get a band-aid that may correct the the specific flaw and introduce others due to improper QA on the fix. Say it with me now...Band-Aid. News Flash, Band-Aids fall off...
Releasing the details and exploit code potentially jeopardizes companies and governmental agencies, due to the exploit code being pushed to script kiddies and hostile foreign nations well before the vendor can properly push the fix. Even after a fix is released from a vendor, most modern companies/agencies then have to put the fix through internal testing and validation to ensure the fix doesn't impact the operations of the affected server or the software application.
Even best case of a rushed vendor release, you're talking a week at best for the vendor to go into rush mode to develop and push the fix then another week to two weeks for the users of the vulnerable application to receive and test the fix. This leaves a potential gaping two week window for exploitation of the affected service..
Seriously people, if you are a professional in the security field and you work to protect your employer and/or customers...stop talking and think about the words that come out of your mouth and into the podcasts or onto the websites..
I understand the point of saying...oh Full Disclosure..force the vendors to stop pushing bad code by exposing their flaws...but at what cost to prove that point? Are you as a “white-hat”, ethical security professional going to potentially expose PII or classified governmental information just to poke at a vendor and make fun of them in your next Defcon/Blackhat/B-Sides presentation?
/rant off
