Responsible disclosure
Encyclopedia
Responsible disclosure is a computer security
term describing a vulnerability disclosure model. It is like full disclosure
, with the addition that all stakeholders agree to allow a period of time for the vulnerability
to be patched
before publishing the details. Developers of hardware
and software often require time and resources to repair their mistakes. Hackers
and computer security scientists have the opinion that it is their social responsibility
to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security
. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, this period may vary between a few weeks and several months. It is easier to patch
software by using the internet
as a distribution channel.
Responsible disclosure fails to satisfy security researchers who expect to be financially compensated, while reporting vulnerabilities to the vendor with the expectation of compensation might be viewed as extortion.
While a market for vulnerabilities has developed, vulnerability commercialization remains a hotly-debated topic tied to the concept of vulnerability disclosure. Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and TippingPoint, with their zero-day initiative (ZDI) started in 2005. These organisations follow the responsible disclosure process with the material bought. Between March 2003 and December 2007 an average 7.5% of the vulnerabilities affecting Microsoft and Apple were processed by either VCD or ZDI
.
Vendor-sec
is a responsible disclosure mailing list. Many, if not all, of the CERT
groups coordinate responsible disclosures.
Security vulnerabilities resolved by applying responsible disclosure:
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
term describing a vulnerability disclosure model. It is like full disclosure
Full disclosure
In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity...
, with the addition that all stakeholders agree to allow a period of time for the vulnerability
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
to be patched
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
before publishing the details. Developers of hardware
Hardware
Hardware is a general term for equipment such as keys, locks, hinges, latches, handles, wire, chains, plumbing supplies, tools, utensils, cutlery and machine parts. Household hardware is typically sold in hardware stores....
and software often require time and resources to repair their mistakes. Hackers
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
and computer security scientists have the opinion that it is their social responsibility
Social responsibility
Social responsibility is an ethical ideology or theory that an entity, be it an organization or individual, has an obligation to act to benefit society at large. Social responsibility is a duty every individual or organization has to perform so as to maintain a balance between the economy and the...
to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security
Security theater
Security theater is a term that describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security. The term was coined by computer security specialist and writer Bruce Schneier for his book Beyond Fear, but has gained...
. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, this period may vary between a few weeks and several months. It is easier to patch
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
software by using the internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
as a distribution channel.
Responsible disclosure fails to satisfy security researchers who expect to be financially compensated, while reporting vulnerabilities to the vendor with the expectation of compensation might be viewed as extortion.
While a market for vulnerabilities has developed, vulnerability commercialization remains a hotly-debated topic tied to the concept of vulnerability disclosure. Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and TippingPoint, with their zero-day initiative (ZDI) started in 2005. These organisations follow the responsible disclosure process with the material bought. Between March 2003 and December 2007 an average 7.5% of the vulnerabilities affecting Microsoft and Apple were processed by either VCD or ZDI
.
Vendor-sec
Vendor-sec
vendor-sec was an electronic mailing list dedicated to distributors of operating systems using free and open-source software...
is a responsible disclosure mailing list. Many, if not all, of the CERT
CERT Coordination Center
The CERT Coordination Center was created by DARPA in November 1988 after the Morris worm struck. It is a major coordination center in dealing with Internet security problems....
groups coordinate responsible disclosures.
Security vulnerabilities resolved by applying responsible disclosure:
- Dan KaminskyDan KaminskyDan Kaminsky is an American security researcher. He formerly worked for Cisco, Avaya, and IOActive, where he was the Director of Penetration Testing...
discovery of DNS cache poisoningDNS cache poisoningDNS cache poisoning is a security or data integrity compromise in the Domain Name System . The compromise occurs when data is introduced into a DNS name server's cache database that did not originate from authoritative DNS sources. It may be a deliberate attempt of a maliciously crafted attack on a...
, 5 months - Radboud University NijmegenRadboud University NijmegenRadboud University Nijmegen is a public university with a strong focus on research in Nijmegen, the Netherlands...
breaks the security of the MIFAREMIFAREMIFARE is the NXP Semiconductors-owned trademark of a series of chips widely used in contactless smart cards and proximity cards. According to the producers, billions of smart card chips and many millions of reader modules have been sold...
Classic cards, 6 months - MBTA vs. Anderson, MIT students find vulnerability in the Massachusetts subway security, 5 months
- MD5MD5The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
collision attack that shows how to create false CA certificates, 1 week