Full disclosure (computer security)

This article is about vulnerability disclosure. For other uses, see Full disclosure (disambiguation).

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.[1]

In his 2007 essay on the topic, Bruce Schneier stated "Full disclosure – the practice of making the details of security vulnerabilities public – is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure."[2] Leonard Rose, co-creator of an electronic mailing list that has superseded bugtraq to become the de facto forum for disseminating advisories, explains "We don't believe in security by obscurity, and as far as we know, full disclosure is the only way to ensure that everyone, not just the insiders, have access to the information we need."[3]

The vulnerability disclosure debate

The controversy around the public disclosure of sensitive information is not new. The issue of full disclosure was first raised in the context of locksmithing, in a 19th-century controversy regarding whether weaknesses in lock systems should be kept secret in the locksmithing community, or revealed to the public.[4] Today, there are three major disclosure policies under which most others can be categorized:[5] Non Disclosure, Coordinated Disclosure, and Full Disclosure.

The major stakeholders in vulnerability research have their disclosure policies shaped by various motivations, it is not uncommon to observe campaigning, marketing or lobbying for their preferred policy to be adopted and chastising those who dissent. Many prominent security researchers favor full disclosure, whereas most vendors prefer coordinated disclosure. Non disclosure is generally favored by commercial exploit vendors and blackhat hackers.[6]

Coordinated vulnerability disclosure

Coordinated vulnerability disclosure is a policy under which researchers agree to report vulnerabilities to a coordinating authority, which then reports it to the vendor, tracks fixes and mitigations, and coordinates the disclosure of information with stakeholders including the public.[7][8] In some cases the coordinating authority is the vendor. The premise of coordinated disclosure is typically that nobody should be informed about a vulnerability until the software vendor says it is time.[9][10] While there are often exceptions or variations of this policy, distribution must initially be limited and vendors are given privileged access to nonpublic research.[11]

The original name for this approach was "responsible disclosure", based on the essay by Microsoft Security Manager Scott Culp “It's Time to End Information Anarchy”[12] (referring to full disclosure). Microsoft later called for the term to be phased out in favor of “Coordinated Vulnerability Disclosure” (CVD).[13][14]

Although the reasoning varies, many practitioners argue that end-users cannot benefit from access to vulnerability information without guidance or patches from the vendor, so the risks of sharing research with malicious actors is too great for too little benefit. As Microsoft explain, "[Coordinated disclosure] serves everyone's best interests by ensuring that customers receive comprehensive, high-quality updates for security vulnerabilities but are not exposed to malicious attacks while the update is being developed."[14]

To prevent vendors to indefinitely delaying the disclosure, a common practice in the security industry, pioneered by Google,[15] is to publish all the details of vulnerabilities after a deadline, usually 90 or 120[16] days reduced to 7 days if the vulnerability is under active exploitation.[17]

Full disclosure

See also: Locksmithing § Full disclosure

Full disclosure is the policy of publishing information on vulnerabilities without restriction as early as possible, making the information accessible to the general public without restriction. In general, proponents of full disclosure believe that the benefits of freely available vulnerability research outweigh the risks, whereas opponents prefer to limit the distribution.

The free availability of vulnerability information allows users and administrators to understand and react to vulnerabilities in their systems, and allows customers to pressure vendors to fix vulnerabilities that vendors may otherwise feel no incentive to solve. There are some fundamental problems with coordinated disclosure that full disclosure can resolve.

  • If customers do not know about vulnerabilities, they cannot request patches, and vendors experience no economic incentive to correct vulnerabilities.
  • Administrators cannot make informed decisions about the risks to their systems, as information on vulnerabilities is restricted.
  • Malicious researchers who also know about the flaw have a long period of time to continue exploiting the flaw.

Discovery of a specific flaw or vulnerability is not a mutually exclusive event, multiple researchers with differing motivations can and do discover the same flaws independently.

There is no standard way to make vulnerability information available to the public, researchers often use mailing lists dedicated to the topic, academic papers or industry conferences.

Non disclosure

Non disclosure is the policy that vulnerability information should not be shared, or should only be shared under non-disclosure agreement (either contractually or informally).

Common proponents of non-disclosure include commercial exploit vendors, researchers who intend to exploit the flaws they find,[5] and proponents of security through obscurity.

Debate

In 2009, Charlie Miller, Dino Dai Zovi and Alexander Sotirov announced at the CanSecWest conference the "No More Free Bugs" campaign, arguing that companies are profiting and taking advantage of security researchers by not paying them for disclosing bugs.[18] This announcement made it to the news and opened a broader debate about the problem and its associated incentives.[19][20]

Arguments against coordinated disclosure

Researchers in favor of coordinated disclosure believe that users cannot make use of advanced knowledge of vulnerabilities without guidance from the vendor, and that the majority is best served by limiting distribution of vulnerability information. Advocates argue that low-skilled attackers can use this information to perform sophisticated attacks that would otherwise be beyond their ability, and the potential benefit does not outweigh the potential harm caused by malevolent actors. Only when the vendor has prepared guidance that even the most unsophisticated users can digest should the information be made public.

This argument presupposes that vulnerability discovery is a mutually exclusive event, that only one person can discover a vulnerability. There are many examples of vulnerabilities being discovered simultaneously, often being exploited in secrecy before discovery by other researchers.[21] While there may exist users who cannot benefit from vulnerability information, full disclosure advocates believe this demonstrates a contempt for the intelligence of end users. While it's true that some users cannot benefit from vulnerability information, if they're concerned with the security of their networks they are in a position to hire an expert to assist them as you would hire a mechanic to help with a car.

Arguments against non disclosure

Non disclosure is typically used when a researcher intends to use knowledge of a vulnerability to attack computer systems operated by their enemies, or to trade knowledge of a vulnerability to a third party for profit, who will typically use it to attack their enemies.

Researchers practicing non disclosure are generally not concerned with improving security or protecting networks. However, some proponents[who?] argue that they simply do not want to assist vendors, and claim no intent to harm others.

While full and coordinated disclosure advocates declare similar goals and motivations, simply disagreeing on how best to achieve them, non disclosure is entirely incompatible.

References

  1. ^ Heiser, Jay (January 2001). "Exposing Infosecurity Hype". Information Security Mag. TechTarget. Archived from the original on 28 March 2006. Retrieved 29 April 2013.
  2. ^ Schneier, Bruce (January 2007). "Damned Good Idea". CSO Online. Retrieved 29 April 2013.
  3. ^ Rose, Leonard. "Full-Disclosure". A lightly-moderated mailing list for the discussion of security issues. Archived from the original on 23 December 2010. Retrieved 29 April 2013.
  4. ^ Hobbs, Alfred (1853). Locks and Safes: The Construction of Locks. London: Virtue & Co.
  5. ^ a b Shepherd, Stephen. "Vulnerability Disclosure: How do we define Responsible Disclosure?". SANS GIAC SEC PRACTICAL VER. 1.4B (OPTION 1). SANS Institute. Retrieved 29 April 2013.
  6. ^ Moore, Robert (2005). Cybercrime: Investigating High Technology Computer Crime. Matthew Bender & Company. p. 258. ISBN 1-59345-303-5.
  7. ^ "Software Vulnerability Disclosure in Europe". CEPS. 2018-06-27. Retrieved 2019-10-18.
  8. ^ Weulen Kranenbarg, Marleen; Holt, Thomas J.; van der Ham, Jeroen (2018-11-19). "Don't shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure". Crime Science. 7 (1): 16. doi:10.1186/s40163-018-0090-8. ISSN 2193-7680.
  9. ^ "Project Zero: Vulnerability Disclosure FAQ". Project Zero. Retrieved 2019-10-18.
  10. ^ Christey, Steve. "Responsible Vulnerability Disclosure Process". IETF. p. 3.3.2. Retrieved 29 April 2013.
  11. ^ "Guidance on good manufacturing practice and good distribution practice: Questions and answers | European Medicines Agency". www.ema.europa.eu. Retrieved 2024-03-01.
  12. ^ Culp, Scott. "It's Time to End Information Anarchy". Technet Security. Microsoft TechNet. Archived from the original on November 9, 2001. Retrieved 29 April 2013.
  13. ^ Goodin, Dan. "Microsoft imposes security disclosure policy on all workers". The Register. Retrieved 29 April 2013.
  14. ^ a b Microsoft Security. "Coordinated Vulnerability Disclosure". Microsoft. Archived from the original on 2014-12-16. Retrieved 29 April 2013.
  15. ^ "About Google's App Security - Google". about.google. Retrieved 2023-05-17.
  16. ^ "Policy | Zero Day Initiative". zerodayinitiative.com. Retrieved 2023-05-17.
  17. ^ "Reviewing 90 Day Responsible Disclosure Policies in 2022". Tenable®. 2022-08-30. Retrieved 2023-05-17.
  18. ^ "Dailydave: No more free bugs (and WOOT)". seclists.org. Retrieved 2023-05-17.
  19. ^ ""No more free bugs"? There never were any free bugs". ZDNET. Retrieved 2023-05-17.
  20. ^ "No more free bugs for software vendors". threatpost.com. 2009-03-23. Retrieved 2023-05-17.
  21. ^ B1tch3z, Ac1d. "Ac1db1tch3z vs x86_64 Linux Kernel". Retrieved 29 April 2013.{{cite web}}: CS1 maint: numeric names: authors list (link)

Read other articles:

Karl Gayer

Karl Gayer Karl Gayer als Rektor der Universität München Johann Christian Karl Gayer, auch Geyer genannt (* 15. Oktober 1822 in Speyer; † 1. März 1907 in München) war ein deutscher Forstwissenschaftler. Gayer wirkte zunächst als einfacher Förster, später als Professor für Forstwissenschaft und Fachbuchautor. Inhaltsverzeichnis 1 Leben 2 Ehrungen 3 Schriften (Auswahl) 4 Literatur 5 Weblinks 6 Einzelnachweise Leben Karl Gayer war der Sohn des Kreisarchivars und Zeichners Peter Otto Be...

 

Alexander the Great (Eric Alexander album)

2000 studio album by Eric AlexanderAlexander the GreatStudio album by Eric AlexanderReleased2000RecordedMay 8, 1997StudioVan Gelder Studio, Englewood Cliffs, NJGenreJazzLength55:44LabelHighNoteHCD 7013ProducerCharles EarlandEric Alexander chronology Man with a Horn(1997) Alexander the Great(2000) Heavy Hitters(1998) Alexander the Great is an album by saxophonist Eric Alexander which was recorded in 1997 and released on the HighNote label in 2000.[1][2] Reception Profes...

 

Kärntner Straße

Este artículo o sección necesita ser wikificado, por favor, edítalo para que cumpla con las convenciones de estilo.Este aviso fue puesto el 18 de septiembre de 2022. Este artículo o sección necesita referencias que aparezcan en una publicación acreditada.Este aviso fue puesto el 18 de septiembre de 2022. Kärntner Straße. Kärntner Straße (Calle de Carintia) es la calle principal del centro de Viena, Austria. Se inicia en la esquina con la calle Ring y termina en el Stephansplatz, don...

 

SMP Negeri 1 Jonggol (Bogor)

Artikel ini sebatang kara, artinya tidak ada artikel lain yang memiliki pranala balik ke halaman ini.Bantulah menambah pranala ke artikel ini dari artikel yang berhubungan atau coba peralatan pencari pranala.Tag ini diberikan pada Februari 2023. SMP Negeri 1 JonggolInformasiDidirikan1963Rentang kelasVII, VIII, IXKurikulumKurikulum 2013Jumlah siswaRibuan SiswaAlamatLokasiJln. Menan Sukamaju, 16830, Jonggol, Jawa BaratMoto SMP Negeri (SMPN) 1 Jonggol, merupakan salah satu Sekolah Menengah ...

 

Battle of Kaiapit

1943 engagement in New Guinea Battle of KaiapitPart of the Markham and Ramu Valley – Finisterre Range campaign, World War IIAustralian soldiers from the 2/16th Battalion arriving at Kaiapit on 20 September after the area was captured by the 2/6th Independent CompanyDate19–20 September 1943LocationKaiapit, Territory of New Guinea06°16′00″S 146°14′52″E / 6.26667°S 146.24778°E / -6.26667; 146.24778 (Kaiapit airstrip)Result Allied victoryBelligerent...

 

Hikarian

Hikarian超特急ヒカリアン(Chō-Tokkyū Hikarian)GenreMecha, Superhero Video animasi orisinalHeroic Super-Express HikarianSutradaraHiroyuki FukushimaChikae KuwaharaProduserIori SuzukiSkenarioHiroyuki FukushimaMusikTakumi KusanagiStudioArtmicTayang1996Episode3 Seri animeJapan Hikarian RailroadSutradaraShuichi Kazuyuki HirokawaYoshikata NittaProduserTomyIori SuzukiSkenarioToshiki InoueHideki ShiraneMusikYuzo HayashiStudioTokyo KidsSaluranasliTV TokyoTayang 2 April 1997 – 29 Maret 2000Ep...

 

Kemiri, Mojosongo, Boyolali

KemiriKelurahanKantor Lurah KemiriNegara IndonesiaProvinsiJawa TengahKabupatenBoyolaliKecamatanMojosongoKodepos57321Kode Kemendagri33.09.06.1007 Kode BPS3309060007 Luas... km²Jumlah penduduk... jiwaKepadatan... jiwa/km² Kemiri adalah sebuah kelurahan yang berada di kecamatan Mojosongo, Boyolali, Jawa Tengah, Indonesia. Saat ini kantor pusat pemerintahan kabupaten Boyolali berada di tempat ini.[1] Pembagian wilayah Kelurahan Kemiri terdiri dari lingkungan/kampung/dukuh: Badranre...

 

Italian campaigns of the French Revolutionary Wars

French invasion and partial annexation of ItalyThis article includes a list of general references, but it lacks sufficient corresponding inline citations. Please help to improve this article by introducing more precise citations. (September 2012) (Learn how and when to remove this template message) This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources:...

 

Накопичення енергії в мережі

Накопичення енергії в мережі (також зване великомасштабне зберігання енергії) — це сукупність методів, що використовуються для зберігання енергії у великому масштабі в межах електричної мережі. Електрична енергія зберігається в той час, коли електроенергії є багато...

 

Kalpana Chawla

American astronaut (1962–2003) Kalpana ChawlaBorn(1962-03-17)March 17, 1962[2]Karnal, East Punjab, India (present-day Haryana state)Died1 February 2003(2003-02-01) (aged 40)Aboard Space Shuttle Columbia over Texas, U.S. in the Space Shuttle Columbia disasterCitizenshipIndia (1962–1991)United States (1991–2003)Alma materTagore Baal Niketan Senior Secondary School, Karnal Punjab Engineering College (BE)University of Texas at Arlington (MS)University of Colorado at Boulde...

 

Robertson College Jabalpur

College in Madhya Pradesh The former building of Robertson College now houses the Civil engineering department of the Jabalpur Engineering College Robertson College, Jabalpur, (now divided into Government Science College, Jabalpur and Mahakoshal Arts & Commerce College) is considered to be the oldest such institution in Madhya Pradesh.[1] History It was established in 1836 as Sagar Govt. School in Sagar, and was upgraded to Sagar Collegiate School in 1860 by starting F.A. (Fine Ar...

 

Aden Young

Canadian-Australian actor Aden YoungYoung at the 2012 AACTA AwardsBorn (1971-11-30) 30 November 1971 (age 52)Toronto, Ontario, Canada[1][2]OccupationActorYears active1991–presentSpouse Loene Carmen ​(m. 2014)​Children2 Aden Young (born 30 November 1971[1][2]) is a Canadian-Australian actor. He is best known for his portrayal of Daniel Holden in the SundanceTV drama Rectify, for which he was twice nominated for the Critic...

 

Sisterhood Is Forever

2003 feminist anthology Sisterhood Is Forever: The Women's Anthology for a New Millennium First editionEditorRobin MorganCountryUnited StatesLanguageEnglishSubjectSecond-wave feminismPublisherWashington Square PressPublication date2003Media typePrint (Paperback)Pages580ISBN978-0743466271OCLC51854519Preceded bySisterhood Is Global: The International Women's Movement Anthology (1984)  Sisterhood Is Forever: The Women's Anthology for a New Millennium is a 2003 anthology of feminis...

 

Summertime (2015 film)

2015 film by Catherine Corsini SummertimeTheatrical release posterFrenchLa Belle Saison Directed byCatherine CorsiniWritten byCatherine CorsiniLaurette PolmanssProduced byElisabeth PerezStarringCécile de FranceIzïa HigelinNoémie LvovskyCinematographyJeanne LapoirieEdited byFrédéric BaillehaicheMusic byGrégoire HetzelProductioncompaniesChaz ProductionsFrance 3 CinémaArtémis ProductionsSolaire ProductionDistributed byPyramide DistributionRelease dates 6 August 2015 (2015-...

 

Shek Uk Shan

Shek Uk Shan, Hong Kong石屋山View of Shek Uk Shan from Ngam Tau ShanHighest pointElevation481 m (1,578 ft)Coordinates22°26′10.93″N 114°18′23.57″E / 22.4363694°N 114.3065472°E / 22.4363694; 114.3065472GeographyShek Uk Shan, Hong KongLocation of Shek Uk Shan in Hong Kong Location Hong KongShek Uk Shan (Chinese: 石屋山) is the highest mountain (481 metres)[1] in Sai Kung Peninsula, Hong Kong.[2] A signal (radio) st...

 

Diyos at Bayan

Philippine television show This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: Diyos at Bayan – news · newspapers · books · scholar · JSTOR (January 2022) (Learn how and when to remove this template message) Diyos at BayanTitle card since 2015 until 2021Genre Talk show Public affairs Written byJeg GasconPresente...

 

Kota Pangkalpinang

Kota PangkalpinangIbu kota provinsiDari Atas, Kiri ke kanan: Bandara Depati Amir, Salah Satu sudut Kota Pangkal Pinang, Masjid Jamik Pangkalpinang, Alun-alun Taman Merdeka, Lapangan Golf Pangkal Pinang LambangJulukan: Kota BerartiMotto: Pangkal kemenanganKota PangkalpinangPetaTampilkan peta SumatraKota PangkalpinangKota Pangkalpinang (Indonesia)Tampilkan peta IndonesiaKoordinat: 2°06′S 106°06′E / 2.1°S 106.1°E / -2.1; 106.1Negara IndonesiaProvins...

 

Магдалена Сибилла Саксен-Вейсенфельсская (1673—1726)

В Википедии есть статьи о других людях с именем Магдалена Сибилла. Магдалена Сибилла Саксен-Вейсенфельсскаянем. Magdalena Sibylla von Sachsen-Weißenfels герцогиня Саксен-Эйзенахская Рождение 3 сентября 1673(1673-09-03)[1]Галле, Магдебургское архиепископство, Священная Римская империя См�...

 

Mpofana Local Municipality

Local municipality in KwaZulu-Natal, South AfricaMpofanaLocal municipality SealLocation in KwaZulu-NatalCountrySouth AfricaProvinceKwaZulu-NatalDistrictuMgungundlovuSeatMooi RiverWards4Government[1] • TypeMunicipal council • MayorXolani Magnificent DumaArea • Total1,820 km2 (700 sq mi)Population (2011)[2] • Total38,103 • Density21/km2 (54/sq mi)Racial makeup (2011)[2] • Bla...

 

アラバマ (戦艦)

アラバマ 基本情報建造所 バージニア州ノーフォーク海軍工廠運用者 アメリカ海軍艦歴発注 1939年4月1日起工 1940年2月1日進水 1942年2月16日就役 1942年8月16日退役 1947年1月9日除籍 1962年6月1日その後 1964年6月11日より博物館船として公開要目基準排水量 35,000 トン満載排水量 44,374 トン全長 680フィート (210 m)最大幅 108フィート2インチ (32.97 m)吃水 35フィート1インチ (10.69...