The Vulnerability Disclosure Game

In earlier post on this Web site, I wrote about dilemma to disclose or not to disclose security flaws publicly. This disclosure game is becoming hotter and hotter at present time. Recently I’ve read four interesting articles at CSO online. These articles put light on this problem from different angles, sometime totally opposite.

1. Article “Microsoft: Responsible Vulnerability Disclosure Protects Users” by Mark Miller, Director, Microsoft Security Response Center says:

“Responsible disclosure benefits everyone in the security ecosystem by providing the most comprehensive and highest-quality security update possible.”

2. Next article “The Vulnerability Disclosure Game: Are We More Secure?” by Marcus J. Ranum says in headline:

“Can we speak frankly about “vulnerability disclosure” now? More than a decade into the process, can anyone say security has improved?”

3. Third article “Full Disclosure of Security Vulnerabilities a ‘Damned Good Idea’” has subtitle:

“Security guru Bruce Schneier sounds off on why full disclosure forces vendors to patch flaws.”

4. Interesting and little bit longer then previous articles is article “The Chilling Effect” by Scott Berinato which says:

“How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal.”

This dilemma probably will be around for prolonged period of time. It is my estimation that, as usual, will end up with balanced view that will reconcile different views in socially and technologically acceptable manner.

2 Responses

  1. RootProtect

    Hi there,

    I read your comment and indeed its a sad news for security enthusiast to face such kind of legal consequences. However i feel we are not doing something which is wrong in any case as by making people aware you save or contribute something to stop these vulnerabilities to occur. Its’ certainly a pleasure to share these views with you. I am looking forward to have a chat with you. So if you have a skype ID or if you use any voice chat client do let me know

    Thank You,

    Best Regards,

    Suprodeep Mukherjee

  2. Dragan Pleskonjic

    Thank you for your comment. It’s obviously big game between software producers, hackers, security researchers, users and other players. Everyone has own viewpoint, profit interests and various other goals. Will send you an e-mail.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.