Once vulnerabilities are discovered, should one disclose them? The debate over responsible disclosure of vulnerabilities has been going on for years, but has recently been reignited by Microsoft’s decision to end its public advanced notification system, as well as Google’s decision to publish details for a vulnerability found in Windows the day before Microsoft was set to make the patch available. It begs the question once vulnerabilities are discovered, should one disclose them? If so, what’s the appropriate amount of time? Do we as a security community, need to re-examine the process in which we disclose vulnerabilities?From my perspective, there are two types of disclosure used today by security researchers — full disclosure and responsible disclosure. Full disclosure is the practice of publishing the details of the vulnerability as early as possible and making the information available to everyone without restriction, which typically includes publicly releasing information through online forums or websites. The primary argument for full disclosure is that ethically the potential victim of attacks against the previously unknown vulnerability should be as knowledgeable as those who attack them.Alternatively, responsible disclosure requires that the security researcher not disclose the vulnerability until a fix is available. The argument for responsible disclosure is that blackhats — cyber criminals — can typically exploit the vulnerability when publicly disclosed much quicker than those who are attacked can fix the issue. As such, it is important that a fix is ready and widely available once the vulnerability is made widely known. Responsible disclosure basically requires:The security researcher who found the vulnerability to confidentially report it to the impacted company.The security researcher and company work in good faith to establish an agreed upon period of time for the vulnerability to be patched.Once the agreed upon time period expires and the vulnerability is patched or the patch is available for installation by the users of the software, the security researcher can publicly disclose the vulnerability.Several companies such as Google, Microsoft, and Facebook have also instituted bug bounty programs. Bug bounty programs are similar to responsible disclosure, with the exception that the security researcher is compensated for reporting the vulnerability. Given the number of significant vulnerabilities being found in software we use on a daily basis, it’s clear that this is a debate that should be revisited. I would love to hear your thoughts on how we should define responsible disclosure, please feel free to leave a comment below. Related content opinion The Web App Security Puzzle The security industry must outmaneuver hackers By Apr 21, 2015 3 mins Security opinion Making the Case for Cloud Security in Government The top 4 reasons that governments should consider adopting cloud security solutions By Apr 16, 2015 3 mins Cloud Security opinion FedRAMP: What you need to know Is your organization looking to become FedRAMP certified? Read this first. By Apr 07, 2015 6 mins IT Leadership opinion Five steps to maintaining PCI compliance There are easy ways to improve the security of customers’ payment card data By Mar 26, 2015 4 mins Compliance Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe