Lets say theres a security vulnerability in the software you are using. Do you have a right to know about it? If so, when do you have a right to know?
These persistent questions resurfaced at the recent Black Hat conference in Las Vegas when Cisco Systems and security research company Internet Security Systems threatened a lawsuit and Cisco staff went so far as to rip pages out of conference handouts.
The action was taken when a former ISS researcher, Michael Lynn, intended to disclose vulnerabilities in a Cisco product in a talk at the conference.
When it comes to vulnerabilities, there are many interested parties. As a developer and vendor of networking equipment, Cisco has an interest.
A security research company such as ISS has an interest in intellectual property produced by its staff. And a researcher such as Lynn has an interest in raising his profile in the community—in the name of serving the public interest.
But what about the interests of enterprise IT customers? They have the most to lose in case software weaknesses are exploited, networks are hacked and corporate information is stolen. And yet, those users are liable to find out about vulnerabilities no sooner than when its in the vendors interest to tell them.
Whats more, powerful technology vendors are putting increasing pressure on smaller, independent security research companies, which are rethinking disclosure policies for fear of lawsuits.
Meanwhile, those companies such as ISS that are “cooperating” with companies such as Cisco and Microsoft have their own corporate IT customers paying them to uncover vulnerabilities before they can be exploited, raising conflict-of-interest questions.
Corporate IT buyers deserve better.
We dont think that vendors intentionally create faulty products. We also dont think that everyone who discovers a flaw ought to instantly disclose it to the world when that information can provide hackers with an easy avenue into a corporate network.
We do think, however, that corporate IT customers have a right to the knowledge of how to protect valuable corporate assets. We cant see any moral justification in a vendors keeping this knowledge from them for any length of time.
Customers have little leverage over vendors in this matter, but we believe that its time for contracts to specify terms of timely vulnerability disclosure. Without such enforceable contractual obligations, along the lines of SLAs, users will be at the mercy of the vendors and third parties that have their own agendas—or, worse still, malicious hackers themselves.
All vendors should do this, but those that do it better than others would stand to reap the rewards of the marketplace in more sales and greater success. That strikes us as being a fair reward for giving customers, at long last, what they deserve.
Readers respond to Security: The Right to Know
What do you think? Send your comments to [email protected].