Responsible Disclosure Becoming Irrelevant?
According to a Microsoft spokesperson, several factors can affect the priority given to a security update and the amount of time between the discovery of vulnerability and the release of a patch. "When a potential vulnerability is reported, designated product-specific security experts investigate the scope and impact of a threat on the affected product," the spokesperson said. "Once the MSRC [Microsoft Security Response Center] knows the extent and the severity of the vulnerability, they work to develop a quality update for every supported version affected ...[ Then] it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe."To Jeremiah Grossman, chief technology officer of WhiteHat Security, the debate about responsible disclosure is no longer relevant. Criminals are hunting for their own zero-day vulnerabilities anyway, he said, and naturally cannot be counted on to disclose them. In addition, the turnaround time from when a patch is issued to when exploit code is released is much shorter than the time it takes for organizations to roll out patches on a wide scale, he said. Lastly, the financial incentive for researchers to ethically disclose vulnerabilities to software vendors for free is being diminished as large financial rewards can be obtained elsewhere, he added. "When you are talking about zero-days worth six figures, even the good guys are going to be swayed," Grossman said. "So the idea [of] debating what exactly is full disclosure versus responsible disclosure I say is irrelevant. The conversation is simply in the wrong place." Still, according to Gartner's Pescatore, responsible disclosure has its place. "We already knew the bad guys wouldn't responsibly disclose and we can deal with that. We just don't need the security companies making it worse," Pescatore said.
Does the full disclosure debate still matter?