Scribd
Upload
5 views1 page

Gray Hat Hacking 95

Chapter 3 discusses the complexities of responsibly reporting discovered vulnerabilities, highlighting the debate between full disclosure and vendor accountability. It presents arguments from both the security community, which advocates for transparency to enhance security, and software vendors, who prefer limited disclosure to protect their products. Case studies illustrate the ongoing tension between these perspectives and the challenges in establishing effective disclosure processes.

Uploaded by

digapo7593
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views1 page

Gray Hat Hacking 95

Chapter 3 discusses the complexities of responsibly reporting discovered vulnerabilities, highlighting the debate between full disclosure and vendor accountability. It presents arguments from both the security community, which advocates for transparency to enhance security, and software vendors, who prefer limited disclosure to protect their products. Case studies illustrate the ongoing tension between these perspectives and the challenges in establishing effective disclosure processes.

Uploaded by

digapo7593
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Chapter 3: Proper and Ethical Disclosure

67
Case Studies

PART I
The fundamental issue that this chapter addresses is how to report discovered vulnera-
bilities responsibly. The issue sparks considerable debate and has been a source of con-
troversy in the industry for some time. Along with a simple “yes” or “no” to the ques-
tion of whether there should be full disclosure of vulnerabilities to the public, other
factors should be considered, such as how communication should take place, what is-
sues stand in the way of disclosure, and what experts on both sides of the argument are
saying. This section dives into all of these pressing issues, citing recent case studies as
well as industry analysis and opinions from a variety of experts.

Pros and Cons of Proper Disclosure Processes


Following professional procedures in regard to vulnerability disclosure is a major issue
that should be debated. Proponents of disclosure want additional structure, more rigid
guidelines, and ultimately more accountability from vendors to ensure vulnerabilities
are addressed in a judicious fashion. The process is not so cut and dried, however. There
are many players, many different rules, and no clear-cut winners. It’s a tough game to
play and even tougher to referee.

The Security Community’s View


The top reasons many bug finders favor full disclosure of software vulnerabilities are:

• The bad guys already know about the vulnerabilities anyway, so why not
release the information to the good guys?
• If the bad guys don’t know about the vulnerability, they will soon find out
with or without official disclosure.
• Knowing the details helps the good guys more than the bad guys.
• Effective security cannot be based on obscurity.
• Making vulnerabilities public is an effective tool to use to make vendors
improve their products.

Maintaining their only stronghold on software vendors seems to be a common


theme that bug finders and the consumer community cling to. In one example, a cus-
tomer reported a vulnerability to his vendor. A full month went by with the vendor ig-
noring the customer’s request. Frustrated and angered, the customer escalated the issue
and told the vendor that if he did not receive a patch by the next day, he would post the
full vulnerability on a user forum web page. The customer received the patch within
one hour. These types of stories are very common and continually introduced by the
proponents of full vulnerability disclosure.

The Software Vendors’ View


In contrast, software vendors view full disclosure with less enthusiasm:

• Only researchers need to know the details of vulnerabilities, even specific


exploits.

You might also like