Re: Can we afford full disclosure of security holes?

[aleph1 () securityfocus com]

  Without detailed information:

  How should third-parties develop countermeasures? In essence you are
arguing that only the vendor should be capable of fixing the vulnerable
software.

  How should authors of vulnerability scanners and intrusion detection
systems obtain information to produce new signatures? You may answer that
only qualified security vendors should have access to the information.
Who qualifies them? Who enforces these rules? What about non-commercial
or open source tools?

  How should academics obtain information for research purposes? You may
answer that only qualified security vendors should have access to the
information. Who qualifies them? Who enforces these rules?

  How should users verify the vendor fix works as described? Some vendors
have a history of requiring a few revisions of a patch to get it right.

  What do you do if the vendors is not cooperating, does not maintain
the product any longer, or no longer exist?

  Unless you can answer all this question successfully you will continue
to see detailed disclose of vulnerabilities.

  What it boils down to is this: disclosure of detailed vulnerability
information benefits security conscious people, while, in the short them,
hurts people that do not keep up with security, with the hope that it
also helps them in the longer term. 

  Will security conscious people give up the benefits of detailed disclosure
of vulnerability information to help mitigate the short term risk of people
that are not keeping up with security? Doubtful.

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum