Opinion

The Vulnerability Disclosure Game: Are We More Secure?

Marcus Ranum asks: Can we speak frankly about "vulnerability disclosure" now? More than a decade into the process, can anyone say security has improved?

By Marcus J. Ranum

Back when the Internet security bubble started, I offered a litmus test for practitioners. Simply put: You're either part of the solution, or you're part of the problem. You're writing the next firewall or secure application or working to improve some site's security. Or you're part of the problem: You're looking for the next hole in Oracle that'll get you two minutes on CNN, or you're getting ready to announce a clever new way rootkits can evade detection from security tools, or you're devising the next denial-of-service attack, etc. The state of ethics in the computer security industry is pathetic; it's on par with where medicine was in the 1820s—except that some of the snake-oil salesmen in the 1820s actually believed in their products.

At this point in the history of security, the disclosure economy has been in place long enough that some of the new entrants to the field think that's the way it's always been—I've run into second-generation "true believers" who really think vulnerability disclosure is all about making software better. Guys, I think it's time to hang up that ideology; it's obviously not true. If it was going to help, it would have showed some signs of helping by now. So let's be frank, shall we? Those of you who are playing the disclosure game are just playing for your two minutes of fame: You're not making software better. Sure, some of you work for consultancies and startups, and it saves you a ton of money by not having to have a marketing budget, but isn't shouting "fire!" in a crowded theater so&um, '90s? I know that the typical security customer is (to you) an unsophisticated rube, but that does not justify you placing them at increased risk just so you can publish a new signature for your pen-testing tool or get your funny-haired "chief hacking officer" on CNN one more time. I have news for you: Most of the computer users on the planet wish you'd find some other use for your talents—something that actually does help.

Computer security needs to grow the hell up, and needs to do it pretty quickly. It seems that virtually every aspect of life is becoming increasingly computerized and exposed to online attack. The problem is getting more significant the longer we wait to deal with it, but the early history of computer security has been a massive disappointment to all of us: huge amounts of money spent with relatively little improvement to show for it. One of the reasons is that a huge amount of that effort has been wasted, barking up the wrong tree. Unfortunately, if you look at the last 10 years of security, it's a litany of "one step forward, one step back," thanks in part to the vulnerability pimps, parasites and snake-oil salesmen who flocked into the industry when they smelled money and a chance to get some attention. At this point, they're so deeply entrenched and vested that they're here to stay, unless the industry as a whole turns away from rewarding bad behavior. If you're a customer or end user, you can see how well disclosure worked to improve your security over the last decade. Let me be frank: It's up to you.

• Email
• Print
• Comments
• Digg This
• SlashDot

• Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'
• Software Vulnerability Disclosure: The Chilling Effect
• How to Evaluate (and Use) Web Application Security Scanners
• Industry View: Web Application Security Today - Are We All Insane?