The debate over responsible disclosure of vulnerabilities has been going on for years, but has recently been reignited by Microsoft’s decision to end its public advanced notification system, as well as Google’s decision to publish details for a vulnerability found in Windows the day before Microsoft was set to make the patch available. It begs the question once vulnerabilities are discovered, should one disclose them? If so, what’s the appropriate amount of time? Do we as a security community, need to re-examine the process in which we disclose vulnerabilities?
From my perspective, there are two types of disclosure used today by security researchers — full disclosure and responsible disclosure. Full disclosure is the practice of publishing the details of the vulnerability as early as possible and making the information available to everyone without restriction, which typically includes publicly releasing information through online forums or websites. The primary argument for full disclosure is that ethically the potential victim of attacks against the previously unknown vulnerability should be as knowledgeable as those who attack them.
Alternatively, responsible disclosure requires that the security researcher not disclose the vulnerability until a fix is available. The argument for responsible disclosure is that blackhats — cyber criminals — can typically exploit the vulnerability when publicly disclosed much quicker than those who are attacked can fix the issue. As such, it is important that a fix is ready and widely available once the vulnerability is made widely known. Responsible disclosure basically requires:
- The security researcher who found the vulnerability to confidentially report it to the impacted company.
- The security researcher and company work in good faith to establish an agreed upon period of time for the vulnerability to be patched.
- Once the agreed upon time period expires and the vulnerability is patched or the patch is available for installation by the users of the software, the security researcher can publicly disclose the vulnerability.
Several companies such as Google, Microsoft, and Facebook have also instituted bug bounty programs. Bug bounty programs are similar to responsible disclosure, with the exception that the security researcher is compensated for reporting the vulnerability.
Given the number of significant vulnerabilities being found in software we use on a daily basis, it’s clear that this is a debate that should be revisited. I would love to hear your thoughts on how we should define responsible disclosure, please feel free to leave a comment below.