Security Flaws: To Disclose Or Not To Disclose?

If you are a security researcher or enthusiast and you’ve found vulnerabilities and / or security flaws in hardware or software products, are you going to disclose it to public audience? Probably you think it should be done as soon as possible and let as many as people possible to know that. But it is not so simple. Companies treat vulnerabilities of their products as public-relations problems first and technical problems second. Also, you might face with their legal actions against you. I’d recommend reading some articles and essays on this issue first, in order to avoid problems you may face with, if you disclose vulnerabilities you have found before talking to vendors and presenting those problems to them.

Read an old (2001) but still valid Schneier’s essay from his Cryptogram (here), titled “Full Disclosure” which starts with:

Microsoft is leading the charge to restrict the free flow of computer security vulnerabilities. Last month Scott Culp, manager of the security response center at Microsoft, published an essay describing the current practice of publishing security vulnerabilities to be “information anarchy.” He claimed that we’d all be a lot safer if researchers would keep details about vulnerabilities to themselves, and stop arming hackers with offensive tools. Last week, at Microsoft’s Trusted Computing Forum, Culp announced a new coalition to put these ideas into practice.

Also, it is interesting to read newer post (2005) on Schneier’s blog titled “Cisco Harasses Security Researcher” (here).

(Un) fortunately, U.S. Copyright Office released its list of DMCA exemptions for the next three years (read my earlier post here). One analyst said about this:

The DMCA exemptions were surprising and fortunate, but, as always, disappointing.

So be careful, be very careful about this.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.