Gallery

When is it right to go public with security flaws?

Posted on 27 Jul 2010 at 10:53

Nicole Kobie examines the prickly issue of "responsible" security disclosure

When it comes to security flaws, who should be warned first: users or software vendors?

That debate has been reignited after a spat between Google and Microsoft, and the latter could be about to raise the issue again at this week’s Black Hat conference in Las Vegas.

A tweet from the Microsoft Security Response Centre (MSRC) said: “What is the next logical step for community based defence for [Microsoft]? The answer to be announced at Black Hat USA.”

What is the next logical step for community based defense for Microsoft?

The current round of bickering kicked off last month, when Google researcher Tavis Ormandy discovered a flaw in Windows Support. He passed the details to Microsoft, but took it public within days, saying if he hadn’t published a working exploit, the firm wouldn’t have taken him seriously.

"This is another example of the problems with bug secrecy (or in PR speak, 'responsible disclosure'), those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers that we need, especially in complex cases like this, where creative thinking and input from experts in multiple disciplines is required to join the dots," Ormandy claimed.

Microsoft wasn’t pleased, and made a point of telling the world exactly how many computers were hacked using the flaw before they could patch it – 25,000, at last count.

While some fellow security researchers agreed with Microsoft, others backed Ormandy, with a few joining forces to create the Microsoft Spurned Researchers Collective, promising to fully disclose all discovered vulnerabilities.

Google eventually waded into the battle, with an open letter – signed by Ormandy – promising support to all researchers who take a flaw public after giving vendors a fair chance to fix it first. Google tried to balance disclosure with a 60-day deadline, putting pressure on vendors while still giving them time to develop patches.

"The emotionally loaded name suggests that it is the most responsible way to conduct vulnerability research - but if we define being responsible as doing whatever it best takes to make end users safer, we will find a disconnect," the post noted.

Coordinated vulnerability disclosure

Microsoft responded with its own idea, saying researchers should work more closely with vendors, and that a deadline wasn’t always reasonable.

It called for the industry to ditch the phrase “responsible disclosure”, saying it suggested full disclosure wasn't responsible, and said the industry should practice “coordinated vulnerability disclosure” instead.