Matt Jezorek

Recently Travis Ormandy reported a vulnerability to Microsoft and 5 days later went public with working exploit code. The storm that has followed this now is ridiculous and the people involved should be ashamed. Many of the finger pointers are of course the anti-virus vendors and other supposed security researchers all of them pointing to responsible disclosure. Just what is responsible disclosure you may ask, what is an acceptable amount of time, and is it needed?

Responsible Disclosure is a vulnerability disclosure model, where stakeholders agree to not take it public for a period of time so that a patch can be created. Zero-day attacks are during the window of responsible disclosure, my opinion is that zero-day is from the time the first exploit code is written until it a patch is released, this does not include machines that are not patched.

But how long should this zero-day period go for? IBM seems to think 1137 days is okay according to ZDI-CAN-200, what about Microsoft waiting 353 days on ZDI-CAN-527, Microsoft by the way has 7 vulnerabilities over 31 days old. These vulnerabilities put you the computer user at risk, no one wants to tell you that your sense of security because your anti-virus and malware protection is up to date that you are not actually protected except by the stupid. The smart are still going to take advantage of your computer and you and to be honest there is nothing you can do to stop it. So should a researcher who finds a bug wait 1137 days to publicly bring the vulnerability out? What is acceptable?

Do we require responsible disclosure? Sure people will use any exploit code that works, and public disclosure with exploit code will cause a rise in that exploit being used. I am willing however to say that the computers that are compromised with public exploit code will be compromised anyways. So is there really a rise in cyber attacks after exploit code is released? How do they know? The vulnerability was not disclosed to them, which means the machines could have been infected previously and only now are we starting to see the signatures.

Will a patch come quicker if it is publicly disclosed? Many would say yes, and I would agree because it becomes a bigger issue if vendors cannot sit on known bugs with exploit code. The community of administrators and such that will get the security advisory will also be looking to secure the computers in their environment, many of these administrators share fixes and will share a work around with others so that everyone can benefit.

Responsible Disclosure is really created so that the vendor can save face, if we disrupt the illusion of users being secure we may not be able to sell them as many security tools that will not actually secure the user. In my eyes responsible disclosure while nice should not be the end all be all, I believe that some bugs/vulnerabilities require immediate public exposure. I also am of a belief that public disclosure on some bugs may cause a rise in attacks but can lower the costs of such attacks. If Nimda/Code Red was publicly disclosed could the damages have been lower?