The full disclosure debate


As the new InfoWorld security columnist, Iíve not backed away from controversy. I have intentionally picked hot topics in order to generate reader interest and feedback. And nothing generates more debate than the topic of full disclosure.

Full disclosure is the idea that all security bugs found, whether by the vendor or a third party, should be disclosed in their entirety in a public forum as soon as possible, whether or not the vendor is notified, and whether or not a reasonable defense is possible. The thinking behind this is that full disclosure forces the vendor to address the problem faster than they normally would and helps administrators to prepare defenses.

Years ago I was a strong advocate on the full disclosure side. Anyone that didnít believe in full disclosure was an enemy of my utopian world and helping to perpetuate bad coding. But lately Iíve been re-thinking my decision.

What changed? Well, my collective personal experience over the last 19 years. Full disclosure advocates claim that all defects should be publicly shared to benefit the common good. If an exploit is known and not shared, then the vendor might be slower to fix the hole. This statement is valid and true in most cases: Nothing focuses a vendorís attention than the whole world reading about the exploit and hackers looking to take advantage of it. The full disclosure debate | InfoWorld | Column | 2005-09-30 | By Roger A. Grimes

Linked by shanmuga Friday, 30th September 2005 11:20PM