>Much of this discussion seems overly simplistic to me.

>[...]

>From that experience I think many important constituencies

>are ignored in the present conversation, so I hope others will

>join the discussion.

I have to agree with Mr. McCulley. It is not as simple as the Big Bad Software Companies producing sub-par products and then deliberately ignoring discovered vulnarabilities in order to maintain an image of invulnerability or to escape having to put an effort into closing up cracks and gaps.

Let me begin by checking my bias at the door, probably acquired through my years of working P&S contracts for s/w developers. I do promise to try not to only speak on behalf of my clients.

Granted, a publisher of any software title has a natural tendency to want to concentrate efforts on feature development while keeping cost within sensible bounds. This is especially challenging in the browser market, both because of the limited ROI but also because of constantly greater requirements and resulting swell in LOC count.

But there is another balance act that needs to be observed: Yes, it is true that it is useful to consumers to have access to information on a system's vulnerabilities. Otherwise, their assumptions about the security of the system in question is little more than guesswork. It would actually also be useful to them to have access to source and a community setting in which to review the code. Not that I am equating the two, I am merely emphasizing the fact that disclosure, per se, is generally in consumers' interest, hence the open source movement. However, because of developers' limited resources (yes, even Micro$oft's), they will have to weigh the necessity of patching every discovered vulnerability, as soon as possible, and at any cost. That deliberation is seldom helped by the outing of a vulnerability by a third party. It merely forces the developer's hand in a rush to patch up what has now become a much more pressing issue due to its wider exposure, instead of being able to fold the patching into an ongoing release schedule. The result is commonly an earlier release of a patch, which is hopefully the goal of the vulnerability publisher, but arguably at a potentially greater cost and in a more of an Band-Aid form, as opposed to an integrated update. That last point, I will concede, does not hold universally, but the cost part does, IMHO, which again translates into lost resources for other development or (heaven forbid) for compensation for the developer's efforts (again a limited opportunity in the case of the browser market).

We need to keep the relevant demands in perspective: Yes, the consumer has the right to have a software live up to reasonable expectations, and that discovered vulnerabilites be dealt with in a timely fashion, or at least their respective exploits. But there is no inherent demand for a flawless software. Every human contraption is inherently susceptible to attacks by other humans with equal or greater resources, be the in manpower, knowledge or time to tinker. Publishing vulnerabilites for the sake exposing black hat exploits of them is a noble but quite single-sided approach to a complicated, multi-faceted issue.

/

Hordur Helgi Helgason,

The Legal Farm, Hartford VT

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11400/33964#33964