From Black Hat: To disclose or not to disclose?
Though there is still much dissension in the security world over what is the right way to disclose security vulnerability, a panel of researchers, vendors and end users all agreed at Black Hat yesterday that the disclosure environment has improved over the last several years.
Some of the biggest points of contention were the perceived impact of paying for vulnerability research, whether or not it is in the interest of end users for vendors to disclose before developing fixes and how long a researcher should wait for a vendor to respond to a reported security hole before going public with the information.
While these heady issues cont, it was generally agreed upon that major vendors have improved their response times during pre-disclosure talks with researchers and softening their adversarial view toward the research community.
"The top 10 (vendors) pretty much have it figured out," said Paul Proctor of Gartner, who moderated the panel. "Microsoft is in the acceptance phase. Cisco is slowly moving out of the anger stage and into the acceptance stage. Oracle, on the other hand is just coming out of the denial stage and into the anger stage."
Panelists attributed the improved relations between researchers and vendors as a result of an acknowledgment by both groups that they are each trying to help users even when philosophies may be at odds. They also said that groups such as U.S. Computer Emergency Readiness Team (US-CERT) have helped to act as a mediator between each camp when at a standstill regarding certain security flaws.
This can be particularly beneficial when researchers begin to get frustrated with unresponsive vendors and just want to go public with information they've been sitting on for many months.
"I think we've been helpful in applying pressure to keep (vendors) moving along," said Jerry Dixon, deputy director of operations for US-CERT.
Of particular interest to audience members was the debate over whether a vendor should disclose a flaw to its customers before a patch is issued.
Vendors with representatives on the panel such as Microsoft, Sun and Cisco typically view that kind of disclosure distastefully as they consider the risk of propagating information about the flaw to be higher for users than it would be if customer lacks the information to defend itself. But many audience members, and researchers on the panel advocated for the knowledge of such vulnerabilities as that can affect their decisions.
"It depends on the context, but if they were to do that, it could help people with decision making," said Raven Alder, a security researcher on the panel. "For example, if I knew right now that there was an unpatched OS X vulnerability I probably wouldn't connect my computer to the network here at Black Hat."
Of a show of hands approximately half of the security experts responsible for enterprise systems would prefer full disclosure to being kept out of the loop.
"Everyone's business is different," one audience member said. "You just don't know our risks, so who are you to decide what is and isn't an important flaw to disclose."