Defining responsible disclosure of app flaws
- 1
- 2
- < previous
What about the notion that the bad guys are simply reverse-engineering patches to exploit holes that would have remained hidden if the researchers hadn't disclosed the flaws?
That is ridiculous, and history has proven otherwise. The tools to quickly reverse-engineer a patch haven't existed for more than a few years, and the bad guys were just as capable of finding and exploiting bugs at that time.
What's your opinion on responsible vulnerability disclosure?
There is a myth that "responsible disclosure" means always waiting for a vendor to patch a flaw. That fails to account for when not disclosing a flaw is putting more folks at risk than simply posting the details to a mailing list. I have been reporting vulnerabilities to vendors for nearly 10 years and still believe that forcing a vendor's hand by releasing early is the responsible thing to do under the right conditions.
What is the correct way to report flaws in software products? In other words, how much time should vendors be given to respond to such disclosures? Is full disclosure necessary in all cases?
It depends on the vendor, how fast they respond and whether I am the only one that knows about a given vulnerability.
- 1
- 2
- < previous
Mitel Launches Simpler Unified Communications 2008-11-19 17:40:00+11
Valorem uniquely deploys RSA SecurID for remote workforce management 2008-11-19 10:16:00+11
VIA Launches VIPRO Touch-Screen Panel PC 2008-11-18 21:00:00+11
NetSuite Australia Targets salesforce.com Customers 2008-11-18 15:25:00+11
Expand Networks Launches Tailored WAN Optimisation Trade Up/Competitive Buy Back Program to Help Renew ROI on Infrastrure 2008-11-18 09:14:00+11
