I’ve tried and tired to avoid getting into the Tavis Ormandy debacle and the whole Irresponsible Disclosure Issue. I’ve voiced my opinion before and it hasn’t changed much but as I continued to think about this I just had to put my 2 dollars into the ring again. I ranted a bit last night when Martin, Steve and I recorded episode 18 of the Southern Fried Security Podcast and then just a few minutes ago I ran across this from the Register. I’ve always said that Full Disclosure is irresponsible and usually hurts more people than it helps and I still believe that is the case. The full disclosure crowd says that it is the only way to get the vendors to respond and release a patch and from time to time they are right but by and far today that is NOT the case. Most vendors, especially the big ones, will work with the researcher and release a patch in a timely manner. If they don’t then I’m much more amiable about releasing PoC or even a full exploit but even then there has to be responsibility. Releasing vulnerability details puts people in danger of having their lives screwed with by others in ways that can drastically impact them in negative ways. Researchers are NOT the gods of the internet and they don’t have the right to say what vulnerabilities should and should not be released regardless of whether or not a patch is available.

Another argument that the full disclosure fans like to make is that the bad guys probably already know about it and are using it. That may be so but in a vast majority of the cases IF they have exploit code it is probably not being used except in limited cases. If it was then there would be noise on the internet that would point to it. It’s better that it be used in limited cases than it to be used on a large scale against anyone who happens to be unlucky enough to go to the wrong web site or click on the wrong link. Not to mention the fact that now instead of being in the hands of a very few it’s now in the hands of anyone who wants it and worse available to every script kiddie who wants to make a name for himself.

Also the argument that many in IT use saying that by knowing the details prior to a patch allows them to be able to test their systems and put controls in place doesn’t hold much water either. Why? Because many if not most companies don’t do this. They don’t even know that the details are available and they don’t have the resources to use the information to protect themselves. So while a select few may be a little better protected the vast majority (including almost 100% of consumers) are left wide open to attack. Is this the best way to secure the internet? I don’t think so.

Peoples finances, reputations and ability to use the internet for legitimate purposes are at stake. When exploit code, PoC code and full details about vulnerabilities are released in an irresponsible mannerĀ  then you are increasing the threat landscape and not helping it like you claim to be doing. You are putting them in danger that most likely they would not face if you had acted in a responsible manner. Are you willing to reimburse them for the money that is taken out of their account? Are you willing to go to jail for them b/c their infected system (thanks to you) is not housing child porn? Are you willing to explain to their wife why all of a sudden porn is being shown to the kids when they try to go to pbskids.com? Are you willing to pay them the salary they lost because their compromised computer caused them to lose their job? I didn’t think so. And don’t give me the argument about good forensics being able to clear them b/c in most cases that is not going to happen. Most individuals are not going to hire and forensic expert to prove to their wife that they weren’t looking at porn. Most won’t even know it’s an option. I’d venture to say that most companies, especially small ones, aren’t going to hire a forensics expert to see if what you were doing was you or malware.

In today’s world where much of what happens happens in electronic format and happens on computers that are connected to most every other computer in the world you are messing with peoples lives when you release this kind of information in an irresponsible manner. So what is irresponsible? I can’t define that completely but I can say that when you don’t give a vendor an opportunity to get a patch out you are practicing irresponsible disclosure.

Tags: