[Dailydave] The Invisible Hand of 'Responsible Disclosure'
Michael Sutton
msutton at spidynamics.com
Wed Sep 6 12:50:50 EST 2006
Federico Biancuzzi has posted an interesting survey at SecurityFocus
(http://www.securityfocus.com/columnists/415) where he surveys various
software vendors, security researchers (looks like he missed you Dave)
and commercial vulnerability programs to get their take on 'responsible
disclosure'. It's an interesting read as he's done a good job of
surveying the usual suspects. What I don't get however, is why we
continue to seek to define 'responsible disclosure'. It will never
happen but in my opinion, that's just fine. We don't have to agree on a
definition because we have the "invisible hand of responsible
disclosure" regulating the process. Researchers keep vendors in check
and vice versa. Vendors post vulnerability advisories because they have
to. It's far more productive to work with a researcher and thank them
for their contribution than it is to be publicly embarrassed by a
vulnerability posting that they didn't know about. On the other hand,
researchers are willing to work with vendors for various reasons
including financial incentive, fear of legal reprisal, desire to receive
public accolades, etc. In short, the system isn't perfect (and never
will be) but it works. I've posted my full thoughts to my blog:
http://portal.spidynamics.com/blogs/msutton/archive/2006/09/06/The-Invis
ible-Hand-of-_2700_Responsible-Disclosure_2700_.aspx
"Can't we all just get along?" - Rodney King
Michael Sutton
Security Evangelist
SPI Dynamics
http://www.spidynamics.com
More information about the Dailydave
mailing list