Saturday, 31 January 2015

Responsible Disclosure

disclosureGoogle has been in the news recently, for their public shaming of Microsoft.

Ninety-days after a disclosed release from Google, the vulnerability is made public. This is meant to provide a bit extra motivation for vendors to fix reported issues. And, for most companies, it’s probably more than enough time to resolve the issue.

Since it doesn’t necessarily align with Microsoft’s current “Patch Tuesday” approach, I can understand why MS is not a big fan of it, though. Maybe this will lead to a more frequent release of patches, which could be good or bad, really…

All in all, I think responsibly disclosing of issues is important. Nothing (ethically) is gained by publicizing an exploit prior to it being fixed by the vendor, so full-disclosures probably aren’t often needed. But I do think putting some external pressure on vendors is sometimes necessary. Especially if the vendor isn’t all that communicative or open with the people who discover the issues.