WINS Flaw Reheats Debate on Disclosure Timing

While some security experts say it's dangerous to keep customers in the dark, vendors wonder what good it does to release details about flaws before patches are ready.

A vulnerability in Microsoft Corp.s Windows first identified in May—but only now receiving widespread attention—has reopened the contentious debate between security researchers and software vendors over the proper method and time frame for disclosing security flaws.

Few topics cause as much hand-wringing and heartburn as full disclosure. Simply mentioning the subject in some circles can generate the kind of quasi-religious zeal and partisan rhetoric normally reserved for discussions about gun control or nuclear proliferation. Indeed, some participants in the debate see the early release of vulnerability information as roughly analogous to handing loaded guns to gangs of trigger-happy juvenile delinquents.

Improving the patch-handling process has been a key part of Microsoft Chairman and Chief Software Architect Bill Gates Trustworthy Computing push.

The debate has taken twists and turns over the years but almost always comes down to the question of whether releasing details about flaws before patches are ready serves any legitimate purpose. Software vendors, of course, argue that such practices are the height of irresponsibility and serve only to give crackers a road map for compromising unprotected systems.

Some researchers agree, while others say publishing early vulnerability reports can give administrators a head start on locking down vulnerable machines. And, they argue, if a flaw is already known in the cracker community, its best to get the information into the hands of the good guys as well. Nearly all well-known research organizations, including Next Generation Security Software Ltd., eEye Digital Security, @Stake Inc., PivX Solutions Inc., Immunity Inc. and others, generally follow a policy of notifying vendors of their findings and then waiting until a patch is ready before publishing an advisory on the vulnerability.

Next Page: Details Trickle Out