Google blogged earlier this week on responsible vs. full disclosure of software vulnerabilities, suggesting that 60 days was a reasonable timeframe for allowing full disclosure if a vendor patch wasn’t available by then. Microsoft responded with a blog post on “coordinated vulnerability disclosure” that basically advocates negotiation between the vulnerability finder and the software vendor on a reasonable timeframe, but still eschewing full disclosure in favor of releasing advanced security advisories that give enough information to warn users without enabling day zero attacks.
What this really comes down to is consumer/cloud software vs. enteprise/host software – one size of vulnerability disclosure does not fit all. When the software only runs in one place (the cloud) and is only used as is by consumers (vs. being integrated into many other applications) patches are easier to develop and way easier to push out. For software that runs on thousands of platforms and is often tailored and integrated to other complex platforms, patch development and QA take longer and patch deployment takes longer.
So, since Google is consumer/cloud oriented, they can live with a different disclosure policy than someone like Oracle or Microsoft can with their products. However, there does need to be pressure on software vendors to prioritize patching software as soon as possible vs. trying to hide vulnerabilities until regularly scheduled version updates.
Vulnerabilities that are announced too soon are just as dangerous, if not worse, than vulnerabilities that are patched too late. The existing information “responsible disclosure” approach originally put enough pressure on software vendors to keep patch times to reasonable values, but recently the time between vulnerability and patch has seemed to get way too long in many cases.
I think the best approach is a “one from Column A, one from Column B” approach – if a software vendor hasn’t produced a fix within 60 days or the agreed upon time, vulnerability finders should feel free to release advanced security advisories but there is never, ever a need for exploit code to be released before fixes are widely available.
But to assume that consumer software or cloud-based software should be treated the same is a mistake.
Category: Uncategorized Tags: