NeoSmart Technologies is a big proponent of Full Disclosure when dealing with security vulnerabilities. Many coders and general online denizens think that’s not a very nice thing to do – that it creates more harm than it helps; but if you look at the alternatives it becomes obvious that not only is Full Disclosure not an extreme view/course of action but rather the only real middle ground there is for dealing with 0-day flaws.
When a person, group, or company discovers a security flaw in a product or service, they have a range of means to communicate this flaw to the outside world. On one side of the scale, most companies explicitly ask that such discoveries be treated with the utmost confidence and not spoken of until they have released a patch. Then you have Full Disclosure wherein the finders reveal any and all associated information, exploits, fixes, and workarounds. At the the very other end are the self-beneficiaries that attempt to sell or else use the exploits for their own self-aggrandizement.
The first option has its obvious merits: when a security hole has been in existence for __ long, it’s a good idea that the company should get a chance to patch their product and set matters straight before the public finds out; lest wily souls get their hands on it and take advantage innocents around the web. But then what’s to guarantee that this kind of thing doesn’t happen again and again? A couple of months ago there was a similar story with MSN and Yahoo! – they’re warned, but it’s easier to just sit around and wait.
Just last week, “hackers” claimed they’d found critical security flaws in Firefox that allow for complete remote control of users’ PCs from afar. Two days later they backed down and confessed it was a hoax — after creating chaos everywhere. Even if it wasn’t a hoax, their original intent of manipulating this security hole for their own “malicious” (Hacker communication network!) purposes could hardly be considered any better.
No matter who finds a bug or what software/product it’s in, Full Disclosure is the only method that can ensure that the right people know about it without too much hassle. With Full Disclosure,
- The holes get fixed. Isn’t that what it’s all about?
- Such vulnerabilities can’t be abused by morally-challenged people.
- It allows end-users a chance to backup their databases and take preliminary steps to securing their sites.
- It provides the affected companies with a solution. If the exact bug and the associated steps of reproduction, the affected files/code, and the extent of damage are reported there really isn’t anything much left.
- It embarrasses the company into taking immediate action and better care.
- You get the credit you deserve for finding the flaw!
When all that is said and done, nothing is perfect. Full Disclosure most certainly can be used and manipulated by people with malicious intent, and the more popular the application, the more potent Full Disclosure becomes.
But Full Disclosure isn’t a strict way of releasing information, it’s just a guideline of sorts. It doesn’t say you can’t warn the originating company a day before and give them a deadline upon which to act. It doesn’t mean you have to tell everyone immediately, nor does it mean you agree to keep mum for a set amount of time. All it means is that, sooner or later, you tell everyone everything, for the good of the general public.