In earlier post on this Web site, I wrote about dilemma to disclose or not to disclose security flaws publicly. This disclosure game is becoming hotter and hotter at present time. Recently I’ve read four interesting articles at CSO online. These articles put light on this problem from different angles, sometime totally opposite.
1. Article “Microsoft: Responsible Vulnerability Disclosure Protects Users” by Mark Miller, Director, Microsoft Security Response Center says:
“Responsible disclosure benefits everyone in the security ecosystem by providing the most comprehensive and highest-quality security update possible.”
2. Next article “The Vulnerability Disclosure Game: Are We More Secure?” by Marcus J. Ranum says in headline:
“Can we speak frankly about “vulnerability disclosure” now? More than a decade into the process, can anyone say security has improved?”
3. Third article “Full Disclosure of Security Vulnerabilities a ‘Damned Good Idea’” has subtitle:
“Security guru Bruce Schneier sounds off on why full disclosure forces vendors to patch flaws.”
4. Interesting and little bit longer then previous articles is article “The Chilling Effect” by Scott Berinato which says:
“How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal.”
This dilemma probably will be around for prolonged period of time. It is my estimation that, as usual, will end up with balanced view that will reconcile different views in socially and technologically acceptable manner.