I’ve decided that as I move forward with my site here and my posts, I’m not necessarily going to be completely PC and try to be pleasing to people. I want to take a stance and not feel like I have to assuage anyone else, especially with my own feelings and site. 🙂
So, where do I stand with full disclosure? First, I think we need to buck up, let people do their thing, stop quibbling about how to properly disclose, and just move forward with our goal: security. We don’t sit here whining about how we can’t control the environment and then let security slide until we can control the environment. It is unknown, ephemeral, ever-changing. Whether someone practices full-disclosure or protected disclosure, I don’t much care: I still have to practice security and I need to be able to roll with the punches and what the environment hands me.
There are two caveats to this debate, which few people seem to address when passionately debating this topic. First, there is the entire full disclosure concept and whether we should practice it. Second, there is the question on whether security professionals should practice full disclosure or more “responsible” disclosure.
Whether an attack vector, vulnerability, or known proof-of-concept exploit is available or not, I would rather know about these items as opposed to not know about them and hope that an attacker doesn’t secretly use them against me. If someone has found a hole and will report it to the vendor reasonably, it should be a security researcher’s position to assume two other people in the world know about the issue as well. And are actively exploiting it or soon going to. Or maybe have been previously. We cannot squealch communication amongst ourselves and expect to keep up with attackers. I am in favor of full disclosure.
On the second part about security professionals, I have less opinion and think it is a case-by-case issue.
In the end, like nature, what doesn’t kill us only makes us stronger and more resilient.
Update: I just wanted to add to this that I really don’t necessarily trust vendors. Vendors are economic entities, and most of the time the media and researchers end up interfacing with the ineffectual and smoke-screening PR and Marketing sides. I don’t trust that, and if I were to weigh my trust of vendors against my desire to know about the problems, the vendors do not typically win. This would change if vendors not only fessed up to holes they patch, but would also be liable for any damages incurred through direct use of those holes. Of course, then I see vendors getting slimier and doing the whole lawyer dance jig… In the end, vendors need to also get off the soapbox about responsible disclosure and just be up front and honest with the community and the world. Painting a picture of rosy security happiness where even puppies and rainbows can use their software without a care in the world is a dying approach. Security is merging with business in the back office, but what about the front office?