In one example, a customer
reported a vulnerability to his vendor. A month went by with the vendor ignoring the
customer??™s request. Frustrated and angered, the customer escalated the issue and told
the vendor that if he did not receive a patch by the next day, he would post the full vulnerability
on a user forum web page. The customer received the patch within one hour.
These types of stories are very common and are continually presented by the proponents
of full vulnerability disclosure.
The Software Vendors??™ View
In contrast, software vendors view full disclosure with less enthusiasm, giving these reasons:
??? Only researchers need to know the details of vulnerabilities, even specific exploits.
??? When good guys publish full exploitable code, they are acting as black hats and
are not helping the situation but making it worse.
??? Full disclosure sends the wrong message and only opens the door to more
illegal computer abuse.
Vendors continue to argue that only a trusted community of people should be privy
to virus code and specific exploit information. They state that groups such as the AV
Product Developers??™ Consortium demonstrate this point. All members of the consortium
are given access to vulnerability information so that research and testing can be
done across companies, platforms, and industries.
Pages:
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189