From Black Hat: To disclose or not to disclose?

Share this article:

Though there is still much dissension in the security world over what is the right way to disclose security vulnerability, a panel of researchers, vendors and end users all agreed at Black Hat yesterday that the disclosure environment has improved over the last several years.

Some of the biggest points of contention were the perceived impact of paying for vulnerability research, whether or not it is in the interest of end users for vendors to disclose before developing fixes and how long a researcher should wait for a vendor to respond to a reported security hole before going public with the information.

While these heady issues cont, it was generally agreed upon that major vendors have improved their response times during pre-disclosure talks with researchers and softening their adversarial view toward the research community.

"The top 10 (vendors) pretty much have it figured out," said Paul Proctor of Gartner, who moderated the panel. "Microsoft is in the acceptance phase. Cisco is slowly moving out of the anger stage and into the acceptance stage. Oracle, on the other hand is just coming out of the denial stage and into the anger stage."

Panelists attributed the improved relations between researchers and vendors as a result of an acknowledgment by both groups that they are each trying to help users even when philosophies may be at odds. They also said that groups such as U.S. Computer Emergency Readiness Team (US-CERT) have helped to act as a mediator between each camp when at a standstill regarding certain security flaws.

This can be particularly beneficial when researchers begin to get frustrated with unresponsive vendors and just want to go public with information they've been sitting on for many months.

"I think we've been helpful in applying pressure to keep (vendors) moving along," said Jerry Dixon, deputy director of operations for US-CERT.

Of particular interest to audience members was the debate over whether a vendor should disclose a flaw to its customers before a patch is issued.

Vendors with representatives on the panel such as Microsoft, Sun and Cisco typically view that kind of disclosure distastefully as they consider the risk of propagating information about the flaw to be higher for users than it would be if customer lacks the information to defend itself. But many audience members, and researchers on the panel advocated for the knowledge of such vulnerabilities as that can affect their decisions.

"It depends on the context, but if they were to do that, it could help people with decision making," said Raven Alder, a security researcher on the panel. "For example, if I knew right now that there was an unpatched OS X vulnerability I probably wouldn't connect my computer to the network here at Black Hat."

Of a show of hands approximately half of the security experts responsible for enterprise systems would prefer full disclosure to being kept out of the loop.

"Everyone's business is different," one audience member said. "You just don't know our risks, so who are you to decide what is and isn't an important flaw to disclose."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISA president urges state AGs to expand understanding of cybercrime

Speaking at a National Association of State Attorneys General conference, ISA's Larry Clinton asked the AGs to step up efforts to get more resources.

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.