, 2002-10-30
The new Organization for Internet Safety aims to make vulnerability disclosure more responsible. It's a good idea, but is the group too corporate to pull it off?
Expand all |
Post comment
|
Responsible Disclosure by Corporate Fiat
, 2002-10-30 The new Organization for Internet Safety aims to make vulnerability disclosure more responsible. It's a good idea, but is the group too corporate to pull it off?
Expand all |
Post comment
|
|
|
Privacy Statement |
The fundemental conflict that occurs here between vendors who want to conceal vulnerabilities and thereby reduce their costs to fix them (by any means neccesary, including lying, denial, and willfull ignorance), and people who have to deal with the fallout of irresponsible vendor behavior is not one that is going to get solved.
And in terms of disclusure, the most valuable bugs to crackers are the ones other people don't know.
Vendors may not like that the first step to taking responsibility for their product flaws & engaging in remediation is coming from outside their ivory towers, but that's how it works, and that's how it's going to continue to work. This because if for no other reason than most of the vendors out there would fix things before they resleased them if they could find the problems. Their users end up being the cheap testbed, allong with all sorts of other various scenarios.
One doesn't even have to be particularly malicious either to easily justify disclosure without notification. For instance, Microsoft cheated me out of an ongoing contract by getting the vendor to migrate to another platform by -giving away- their products in return for the migration to their platform. They broke the law, deprived me of income, and have since gotten a slap on the wrist for similar behavior.
For my part why would I want to ever do anything to see them succeed? I'd prefer it if they got buried under their own stupidity. I think they're lucky that thus far no corporations have taken aim at their flaws in that manner.
Companies may not like the dynamics of free speech, but their only recourse, as much as they may hate it, is going to be to release product that are more secure out of the box. They all love the market when it's going their way, but the consequences of shoddy engineering are something they don't like. Unfortunatly for them, as much as they'd like, they can't make the insecurities of their products someone elses fault.
Funny how those who make secure products do the least complaining about this issue. That's the real bottom line here.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/120/17082#17082