Forgot your password?
typodupeerror
Security

singularity's Journal: On responsible disclosure... 1

Journal by singularity

A C|Net article, as referenced on Macintouch:

At the heart of the issue is the software industry push for "responsible" disclosure, which calls on researchers to delay the announcement of security holes so that manufacturers have time to patch them. That way, people who use flawed products are protected from attack, the argument goes. But the approach also has benefits for software makers, a security expert pointed out.

"As long as the public doesn't know the flaws are there, why spend the money to fix them quickly?" said Bruce Schneier, chief technology officer at Counterpane Internet Security, a network monitoring company. "Only full disclosure keeps the vendors honest."

Hey - I have a solution! Who not simply say "Our policy is to release the details of the hole exactly one month after notifying the company."?

Mr. Schneier is correct - only full disclosure will keep the vendors honest. I do not see how giving a set time before releasing the exploit causes problems with this.

Now, I will say it is very possible that the article was written to have these two somewhat unrelated paragraphs next to each other. One seems to be talking about an embargo for a while after notifying the company, and the Counterpane quote seems to be talking about justifying releasing the information at all.

This discussion has been archived. No new comments can be posted.

On responsible disclosure...

Comments Filter:

"Only the hypocrite is really rotten to the core." -- Hannah Arendt.

Working...