Pros & cons of publishing security vulnerabilities in http://www.dslreports.com/forum/r14092773 en Tue, 01 Dec 2009 00:42:20 EDT Tue, 01 Dec 2009 00:42:20 EDT Pros & cons of publishing security vulnerabilities http://www.dslreports.com/forum/remark,14092773 TKJunkMail : »www.eweek.com/article2/0,1895,1843819,00.asp
The security research company responsible for discovering a software hole later used by the Slammer worm is considering an end to its policy of publishing details of vulnerabilities to public forums.

Speaking with eWEEK at the Black Hat conference here last month, David said that arguments in favor of disclosing details of software holes have lost force in recent years. At the same time, the threats to organizations and individuals on the Internet from organized cyber-crime syndicates and international terrorists have increased.

In the wake of the Slammer worm, NGS changed its disclosure policy. NGS now notifies companies of the holes it discovers and gives them time to create a patch and 90 days to distribute it before releasing vulnerability details to the public.
It seems that NGS has reached a reasonable compromise. If they discover a vulnerability, they give the vendor time to fix it and deploy it before using the club of public disclosure on recalcitrant vendors.

They thereby minimize the possible risk of allowing hackers to unleash an exploit on the public prior to a fix being deployed due to premature disclosure. But they also hold the vendor's feet to the fire by keeping the option of public release available in their back pocket.
--
My Web Page
Join Red Room Forum]]> http://www.dslreports.com/forum/remark,14092773 Tue, 09 Aug 2005 08:22:29 EDT