COMMENTARY--The issue of security vulnerability disclosure has been a hot topic for a long time now, however recent efforts to bring in new disclosure guidelines are unlikely to change anything. It's hard not to chuckle just a little bit every time some group purporting to represent the best interests of the online community comes forward with its draft standard for disclosing vulnerabilities to software companies and the public.
It invariably goes something like this:
The researcher shall notify the vendor X days in advance of releasing details of the vulnerability. The researcher may/may not (please circle) publish exploit code for the vulnerability X days after the initial vendor notification.
The whole thing has kicked up again recently, this time under the banner of the Organization for Internet Safety (OIS), which is a vehicle for security companies like Symantec, SCO, Oracle, Network Associates, and @Stake.
At the core of the latest guidelines is this sacred commandment: Thou shall not release exploit code until 60 days have passed.
It's with great amusement that we've witnessed security researchers and vendors brawl over this issue. Why is this amusing? Well, for starters, it isn't going to make a shred of difference to "Internet safety", whatever the hell that means.
It's important that researchers are free to release details of vulnerabilities to the public--it keeps vendors accountable. Anyone that has found a flaw in a product should be free to disclose it, and should adhere to some sort of guideline when they do it.
Vulnerability disclosure guidelines are great to have, there's no argument there. But they're similar to real laws in the real world.
For example, murder is very much illegal. But people still get shot, stabbed, run over, beaten to bloody pulps and otherwise murdered in all sort of violent and spectacular ways. Laws and rules will always broken by someone.
These types of guidelines exist to help people who never do the wrong thing from doing the wrong thing inadvertently. There will always be some tosser lurking around the corner who is more than happy to publish exploit code at zero notice to a vendor because they like to see them running around like headless chickens and generally freaking out about it.
Then, of course, in come the vendors who get on their high horse while mumbling about irresponsible disclosure etc etc blah blah, providing even more entertainment for the "3v1l h4x0r" who released the exploit code.
The point is there have been perfectly acceptable vulnerability disclosure guidelines around for a long time. (See the RFPolicy by famed "puppy hat" hacker Rain Forest Puppy, or the CERT/CC disclosure guidelines for examples.) There are people out there who use them, and people who will never use them, so please--let's just not take the whole thing so seriously. It's not life and death.
