Public Disclosure Of Bugs

Written on July 30, 2008 by Gillis in Uncategorized

Recently there has been a huge discourse in the security community about the proper way to disclose a vulnerabilty. A vulnerability can be defined as “A security exposure in an operating system or other system software or application software component”. Security exposures that people find typically vary between coding structure vulnerabilities, logical program design flaws, or unintended priveleges of information. The issue that many people have with the disclosure of vulnerabilities is that a specific set of instructions can be constructed to exploit the vulnerability. The exploitation program can carry with it a payload, either allowing attacker access to your computer or doing malicious things to it.

So, why don’t software makers want you to know whats in the software that you buy? Because they don’t want you to know what their problems are. Realplayer, for example, has near daily security vulnerabilities- and almost daily there is another way to break into a system via realplayer. Software vendors often are the loudest to scream “Foul!” when a security researcher releases a vulnerabilty publically, however- there are countless stories of when a researcher has informed a company (Cisco) of vulnerabilities in their software/hardware and the company waits months if not years to actually fix the issue. The developers in these companies are so wrapped up in prior commitments or “maintenance” that a vulnerability will get pushed to the bottom of their to do list. Besides, if noone is exploiting it- its not important in their eyes.

So why dont they want people to publically reveal the vulnerabilities in their products? Because they don’t want to fix it? Well, they usually get around to fixxing the vulnerabilty- just not immediately; so no its not that. Well why?  Because they believe that people will actively exploit the vulnerability? That could be, but in most situations, the people who truly know how to use the exploitation already have it. The security community is a tight knit group, Just because a exploit hasn’t been publically released doesn’t mean that it is not well known. The main argument that I have seen is that someone will package the exploit, sell it to people who will then use it for malicious means against machines. The flaw in this argument is that although there will inevitably be a lapse in the time between the public release and the repair, this time is a fractional amount of the time that the hole would have remained open if it hadn’t been marked as “Urgent”. You will not have to worry about people going into a hole that’s been covered. Many in the security community have an intense frustration at the closed disclosure system- which is absolutely unresponsive to “Responsible Disclosure Reports”. Although some companies take these seriously, many sit on their thumbs while a hole is open.

So What is the issue here? Public Relations, pure and simple. Companies do not want you to know about the problems with their software. *Is Google leaking your search data? Too Bad. Is Microsoft monitoring your downloads? Too Bad. Will a program allow an attacker to get into your system and steal your personal information? Too Bad. The companies want maximum amount of money for minimal amount of investment, the less they have to code, the better. The less you ask, the better, in the opinion of most large companies. Each time a vulnerability is found, even more people begin reviewing the code, finding even more vulnerabilities, until the program is vulnerability free.

So we come to the issue of public disclosure of bugs. Public disclosure serves four important services for the computing community. Public disclosure allows security researchers, developers,coders, and computer professionals in general to analyze trends in coding and see common vulnerabilities. With analysis of vulnerabilities comes the opportunity to teach college students the proper ways of coding to avoid exposing vulnerabilities, thus creating secure software. While the prior solution recognizes the contribution disclosure will make in the future, Right Now public disclosure allows security analysts to analyze trends in vulnerabilities in programs and see where they can patch programs before a problem occurs. Public disclosure also allows the consumer to make EDUCATED decisions in the marketplace. Instead of buying a program that has security vulnerabilities, the educated consumer will purchase a program that is coded securely- Because they know that their information will be secure inside of it.

Q:Why Do I Support Public Disclosure of Bugs?

A:Because it Keeps you secure.

0 Comments - Leave a comment!

There are no comments yet. Be the first and leave a response!

Leave a Reply


Wanting to leave an <em>phasis on your comment?

Trackback URL http://secureyourselfonline.com/public-disclosure-of-bugs/trackback