mailing list archives
From: aarhus () HUSHMAIL COM
Date: Tue, 28 Nov 2000 12:05:13 +0000
In response to hellnbak () HUSHMAIL COM's misgivings regarding early
disclosure, I'd like to give an alternative point of view.
It seems to be assumed that providing the vendor with as long as they wish
to produce a fix before announcing the vulnerability provides maximal
security to the consumer. Does it really? I suggest, instead, that it
reduces this security and allows the vendor to switch responsibility
from themselves to the consumer.
I would personally prefer the following disclosure policy. Allow the
vendor reasonable time to rectify the problem providing, either:
1. the vendor has made every effort to ensure that the product ships in
a secure state by default and operating in an less secure mode requires
explicit action by the end-user, including notification of a mechanism
for the end-user to keep themselves abreast of security updates,
2. the vendor has the ability to individually notify all users of the
product and bring the vulnerability and fix to their attention.
Otherwise, the vendor should not necessarily receive any prior notice.
What does this achieve?
90% or so of all vulnerabilities in web browsers seem to end up with
activex or whatever. If that were the default, only those who explicitly
chose to enable those features would be at risk. Ideally, they would be
notified of the risk when they chose to activate them.
Providing prior notice to a vendor regarding, say, an operating system
bug, allows them to fix it internally, notify their chosen partners so
that they have a fix, announce the fix to the world, and then shift the
blame from themselves to the end-user for not updating the product when
the consumer's computer is eventually cracked. Instead, the vendor would
have to either have a means to notify everyone equally, ship securely,
i.e. with firewalling features installed by default, or invest effort in
reducing the problems in the first place, through audits, for example.