Last week, I wrote that I think some security researchers release too much information too soon, which invariably leads to exploits being unleashed on the unsuspecting masses. I also wrote that some so-called "researchers" make little if any effort to inform vendors of their discoveries but claim that they've tried and failed to find vendor contact information. This week, I'd like to share some of the responses we've received.
One reader wrote, "It seems to me that working on your own time and budget and publishing an exploit to the public is already more than enough of a contribution to the \[number one\] software seller in the world. Mark suggests that researchers should invest even more of their own time to do what the \[business\] itself should be doing - fixing the security problems of their own products. After all, as he states, the places where these researchers publish are well known. So it eludes me why he isn't lamenting about the lack of vision, investment and commitment to security by the \[business\] itself."
I should point out that last week I didn't mention anything that pertains to what vendors do. Nor did I suggest that researchers invest more of their time. It's possible that this particular reader doesn't comprehend how much time it takes to develop a patch and test it carefully before making it available to the public.
The reader further said, "Maybe the corporate leaders could learn something about the drive to excellence from Donald E. Knuth and, as he did, \[write\] $1 checks for errata submissions \[and offer $500\] for a proven vulnerability \[...\] if the price tag seems high - it's not. It's a \[pittance\] against typical \[research hours\] spent and even less if compared to potential damages and loss \[incurred\] by \[a vendor's\] customers."
One thing to keep in mind is that researchers looking for vulnerabilities do so by their own choice. If a vendor isn't compensating them for their work, they don't have to hunt for vulnerabilities in that vendor's products. That logic seems simple enough to me.
Another reader wrote, "\[...\] you are assuming \[that certain researchers\] are assuming \[two things\]: One, as a systems administrator I am too incompetent to do my job. It's true most administrators may not get around to patching their systems for some time, but those are business decisions made because something else has been deemed more important at the time. \[...\] you also assume that the exploit would not have been found by someone with malicious intent and exploited anyway. Certainly if you or I can go through line after line of code, then so can the malcontents. At least with some warning of what to look out for / what application / what port / what whatever, I stand a better chance of being able to defend against any attack."
I want to assure you that I don't think that systems administrators are incompetent, and I do realize that patching is a unique process for each business. I think many, if not most, of you would agree with the reader's second point--that malicious coders might find vulnerabilities if researchers don't. I also think you'd agree that there is a tremendous difference between telling the world what to look out for and giving the world working proof-of-concept code before a patch is available and before people have a reasonable amount of time to install that patch.
Another reader wrote, "Our beloved 'last chance effort' has become an advertising domain for companies who say they are in the 'security' business. It seems to me that the \[security mailing lists\] are being well abused and end users, companies, and vendors are paying the price. I no longer support the full-disclosure lists (and have voiced my opinion to the CISSP forum) because of the complete lack of regard of safety and proper ways to deal with vulnerabilities by some 'researchers'."
That is precisely the problem I see: lack of regard of safety and improper handling of vulnerabilities. If they really wanted to, some of the so-called researchers could make a more diligent effort to contact vendors, allow ample time for vendors to produce patches, and allow the public ample time to become aware of those patches and install them--before publishing proof-of-concept code. They could also keep in mind that not everybody has the desire or time to think about, and monitor, computer security issues all day, every single day. Greater consideration for others might be in order.
We're conducting a new poll that asks, "Do you think security researchers should allow more time before releasing proof-of-concept code?" Visit the Security Hot Topic Web page and let us know your opinion.
Until next time, have a great week!