The back-and-forth between Microsoft and Finjan highlights the need for an acceptable protocol for cooperation between independent researchers and software vendors, said Gerhard Eschelbeck, chief technology officer of vulnerability management consulting firm Qualys. "Im a big supporter of disclosing the required information at the appropriate time, and thats usually when a patch is available. In this case, you have to question the spirit of releasing information when the vendor is still doing investigations," Eschelbeck said. Finjan insists that it did nothing out of the ordinary. "We provided full disclosure and technical details only to the vendor. No technical details or proof-of-concept code are ever published. The information we put out is basic in nature to help people to protect themselves," Touboul said."In a perfect world, the two sides should work together on a patch and coordinate the release of information when the fix is ready. That happens in many cases, but unfortunately, like in this case, its still a problem," Fleming said. Fleming said he believes software vendors also must take some of the blame. "Some vendors drag their feet when security issues are brought to their attention. Thats a fact, and thats a legitimate gripe among researchers." Click here to read about an Internet Explorer exploit that lets attackers plant programs on SP2. In many cases, independent flaw finders work only for the recognition of their peers, and they revel in the publicity generated from finding significant vulnerabilities. "There is competition among security researchers. Being able to say Ive looked at SP2 and found a serious file-handling problem that presents a major risk is a big deal for a researcher," Fleming said. Qualys CTO Eschelbeck said a big disconnect happens when distrust exists between a researcher and a vendor. "At the end of the day, responsible disclosure should always be in the interest of the end-user. If any element of disclosure puts the end-user at risk, thats irresponsible." Marty Lindner, team leader for incident handling at the federally funded CERT Coordination Center (CERT/CC), said he believes the vulnerability disclosure problem is exacerbated by the fact that research firms all have different policies. "It becomes a philosophical question. On one extreme, you have the guys who favor full disclosure, against those who dont want to tell anyone anything, and thats the other extreme." Lindner said CERT/CC publishes its disclosure policy to publicly highlight the way flaw warnings are handled. It calls for all reported vulnerabilities to be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. "Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure," according to the CERT/CC vulnerability disclosure policy. Lindner said affected vendors are notified of the centers publication plans and, in some cases, alternate publication schedules with the affected vendors are negotiated. Check out eWEEK.coms for Microsoft and Windows news, views and analysis.
Rick Fleming, chief technology officer of Texas-based Digital Defense Inc., said a good rule of thumb is to give a vendor 30 to 60 days to create and test software patches before releasing information.