Pros and Cons of Proper Disclosure Processes
Following professional procedures with regard to vulnerability disclosure is a major
issue. Proponents of disclosure want additional structure, more rigid guidelines, and
ultimately more accountability from the vendor to ensure the vulnerabilities are
addressed in a judicious fashion. The process is not cut and dried, however. There are
many players, many different rules, and no clear-cut winner. It??™s a tough game to play
and even tougher to referee.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
64
The Security Community??™s View
The top reasons many bug finders favor full disclosure of software vulnerabilities are:
??? The bad guys already know about the vulnerabilities anyway, so why not release
it to the good guys?
??? If the bad guys don??™t know about the vulnerability, they will soon find out with
or without official disclosure.
??? Knowing the details helps the good guys more than the bad guys.
??? Effective security cannot be based on obscurity.
??? Making vulnerabilities public is an effective tool to make vendors improve their
products.
Maintaining their only stronghold on software vendors seems to be a common theme
that bug finders and the consumer community cling to.
Pages:
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188