Uitspraak van de rechtbank in Arnhem over een full-disclosure.
Vulnerability disclosure refers to the publication of information about a security problem. Questions
about vulnerability disclosure include when, how, what, and to whom vulnerabilities should be disclosed.
Vulnerabilities may be reported by full disclosure or by responsible disclosure. Full disclosure refers to a
situation where information about how to detect and exploit the vulnerability is posted on public websites
after discovery. In contrast, responsible disclosure describes the situation where vulnerability
is first disclosed privately to a vendor, and the finder works jointly with the vendor to solve the problem. The
vulnerability is made public only when a patch is available.
Full disclosure practitioners believe that publishing vulnerability information immediately after the
vulnerability is discovered is desirable for a variety of reasons. Some full disclosure advocates support
this practice on the premise that enhancing user and public awareness is critical as user action (or
inaction) is an undeniable part of the security equation. By disclosing fully and immediately, users will
patch systems thereby making us all more secure. A second rationale for full disclosure is that fixes will
be produced faster because vendors are pressed to respond in order to protect their reputation and market
share. A third justification for full disclosure is that the free flow of information may help other vendors
to provide attack prevention solutions such as firewalls, antivirus software, and intrusion detection
systems (IDS), which could take less time to produce compared to fixing fundamental architectural flaws
in the vulnerable software.
Today’s practice is that once the information about vulnerability is public, it is the vendor‟s responsibility
to either confirm or deny the information. As the definitive authority on the product, this affirmation
typically includes a rating of the severity of the vulnerability, a fix schedule, and a statement about the
vulnerability of previous versions and similar products. Under the full disclosure model, the vulnerability
is announced prior to a patch being available, therefore, whenever possible, the vendor should suggest a
workaround for the problem, such as disabling the flawed functionality or blocking communication ports
until a patch is available.
Some full disclosure advocates favor immediate release based on reducing the window of exposure.Others contend
that it is irresponsible to disclose, discuss, or confirm security issues until a full investigation has
occurred and any necessary patches or releases are available. The rationale for keeping the vulnerability
secret is that immediate full disclosure provides detailed information to attackers before a defense mechanism
is available for users. Some contend that attackers are able to develop better exploits and share those exploits
among the attacker community, thereby increasing the potential for strong attacks. While it is possible to
quantify the number of days it takes for vendors to fix a certain vulnerability that was fully disclosed, it
is almost impossible to quantify the number of attacks that succeed due to the knowledge about unveiled breaches.
Given the potential for harm, vendors have attempted to sue finders who practice full disclosure. Alex
Halderman, a Princeton PhD student, was threatened by SunnComm with a ten million dollar lawsuit for
exposing a weakness in the Media Max CD3 product that allows a user to duplicate copyrighted material
(Smith, 2003). SunnComm maintained that the disclosure affected the company‟s reputation and caused its market
value to drop by more than $10 million. In this particular case, the student did not reverse engineer the product,
but only used a well known and documented OS feature to achieve the reported result. In essence, he described
how the normal use of the operating system could cause undesirable results in the Media Max CD3 application.
SunnComm eventually reversed the decision to sue the grad student. SunnComm CEO acknowledged his threat to file
a lawsuit was a mistake and that ‘the long’ term nature of the lawsuit and the emotional result of the law
suit would obscure the issue, and it would develop a life of its own” ( McCullagh, 2003).
Hostile vendor response to full disclosure can hinder har dening of products and can strain the relationship
between software vendors and adopters. If vendors should bear responsibility for the security of their
products, one wonders if rather than threatening Mr. Halderman with a law suit, the vendor should some
how reward him for going above and beyond the company‟s best efforts to find flaws during the test phase of
the lifecycle and contributing to the enhancement of its product line? Was SunnComm’s stiff reaction due to
the harm caused by the flaw or due to pressure from the makers of copyrighted material?
Responsible disclosure intends to ameliorate some of the concerns raised regarding full disclosure. Under
responsible disclosure, practitioners (or “finders”) notify the vendor first to allow a reasonable timeframe
to fix a problem. Once a fix is released, a finder may or may not publish full details about the vulnerability.
Although vendors prefer not to give financial rewards to finders, it is common industry practice to publicly
credit them for their work when a fix becomes available. Responsible disclosure aims to allow a vendor enough
time to apply best engineering practices. These best practices improve both the quality of the fix and diminish
the chance of introducing new flaws in the product. Solutions can be back ported to previous versions and fixes
can be made available on internationalized versions of the product by the time the patch is announced.
While best engineering practices are desirable, they can significantly increase the time needed to produce
a fix, thus increasing the window of exposure. Enterprise customers may not welcome frequent patches and do not
always deploy them quickly. They often prefer fewer releases due to the cost of deployment and prefer installing
a single patch that resolves several vulnerabilities (Viega, 2009).
Although many vendors are committed to excellence, others may delay security fixes in favor of revenue
generating feature enhancements and bug fixes. When faced with unacceptable delays, the finder is left
with the dilemma of either trusting that the vendor is responding reasonably and acting in good faith,
or demanding a shorter timeframe on behalf of the user community. For the finder, the ultimate weapon
against negligent vendors is to threaten them with a full disclosure.
Once a fix is released, some finders publicize details of their findings. Unfortunately, the same contributions
that ought to lead to improvements in security can be used to cause harm. According to Viega (2009), over 95%
of the malware that leverages security flaws uses vulnerabilities whose details were published on the internet.
The role of Good Samaritan and user advocate is suddenly challenged by the perception that finders are after self
promotion and financial gains from selling security assessments.
According to this train of thought, it is not in the economic interests of finders to put off taking credit for
finding vulnerabilities, even though users may be hurt.
FULL VS. RESPONSIBLE DISCLOSURE:
More to the Story Clearly, the debate of full vs. responsible disclosure is current and multi dimensional. According
to Schneier (2007), responsible disclosure, by definition, requires secrecy, which in turn prohibits public
debate about security. Inhibiting the free flow of information hurts security education, and security education
leads to improvements. Information secrecy prevents citizens from accurately assessing their own risk and from making
informed decisions about security. Other experts argue that when systems carry life threatening flaws (such as a defect
in an airport control system that could lead to an airplane crash,) public awareness is a necessity regardless of
whether or not a fix is currently available.
Given the debate over which is the better approach to vulnerability disclosure, Cavusoglu, Cavusoglu and Raghunathan
(2004) investigated how vulnerabilities should be disclosed in order to minimize the social loss. In this study, social
loss was defined as the vendor‟s patch development cost and the damage and workaround costs incurred by adopters. The
study looked at three disclosure models: full vendor disclosure, immediate public disclosure, and a hybrid approach.
They found that none of the disclosure models is always optimal. Rather, the findings of this study suggest that the
optimal approach to vulnerability disclosure is stochastic and the main determinants are the characteristics of the
vulnerability (i.e., risk before and after disclosure), the cost structure of the software user population, and the
vendor‟s incentives to develop a patch.
Arora, Telang and Xu (2008) examined how vulnerability disclosure policy can optimally balance the need to protect
users while providing vendors with incentives to develop patches expeditiously. Their model suggests that the optimal
disclosure policy depends upon the behavior of vendors, potential attackers, and users. When vendors do not internalize
the entire user loss, they will release the patch later than what is in the best interest of users, unless they are
threatened with disclosure.
Arora, Nandkumar and Telang (2006) investigated how attack propensity changes with the disclosure and patching of
vulnerabilities. In contrast to the Cavusoglu et. al. (2004) study, this research sought to identify which policy
(full instant disclosure regardless of patch availability vs. limited or no disclosure) is optimal based on reducing
attack frequency over time. Findings suggest that patches do, in fact, provide crucial information to attackers,
underscoring the need to think carefully about efficient and effective means for managing patch dissemination.
Studies such as these have the potential to provide important insight into the nuances of when, how, what, and to
whom vulnerability information should be reported. As we can see from these studies, the real questions are
not about full vs. responsible disclosure, but the conditions under which a particular disclosure policy
may be better than another.
That being studied for years by the University of Houston - School of Science and Computer Engineering) Thank you
for this information.
This study took place FAR BEFORE THE DUTCH REINVENTED IT (but did not study it properly imha).
Ons volgende avontuur was Zweden 2009. Geemigreerd en een jaar lang gewerkt op een camping. Daarnaast natuurlijk heel veel door het land gereisd.
Een volgend avontuur. Naar Spitsbergen (bijna Noorpool). In hartje winter. Wat een belevenis was dat zeg! Geweldig!
Hier begon onze liefde in 2006. Na 2 weken in Nederland heb ik haar gevraagd met mij mee te gaan naar de Malediven. Kuramathi Village - Noord Ari Athol - Maledives
Zo, tegenwoordig ook op Tumblr te vinden.