Monday, April 12, 2010

Responsible Disclosure: Part 2

I've touched on responsible disclosure of security vulnerabilities in the past but this got me thinking - when is it right to disclose a security vulnerability?

I think this is a prime example of a) when to disclose b) when to consider evaluating other vendors.

Literally, why is this even controversial? If a vendor is that lame when it comes to acknowledging security bugs, it highlights a complete lack of awareness, internal process for getting these things fixed and more it indicates a shameful attitude the vendor takes towards security. Even if they fix this bug (after you publicly disclose it) then why wouldn't you consider moving towards a competing product?

I've found myself in a similar situation in the past. FWIW, I've had senior management agree that public disclosure is the acceptable path if the vendor refuses to fix security bugs. It's definitely doable, you just need to be clear on your motives. It's not about getting the glory of the find at that point, its about fixing the vulnerabilities within your organisation and doing your job as best as you can.

Oh, and you also want to be damn sure you have something to mitigate the finding in the interim (or otherwise accept the interim risk until it is fixed).

- J.

No comments: