The Security Vulnerability Disclosure Debate (Part 1)
By blogsadmin on Jul 07, 2006
Hello, my name is Eric Maurice. I am a Manager for Security in Oracle's Global Technology Business Unit. I assist the Office of the Chief Security Officer with the definition of Oracle's product security strategy and vulnerability and incident responses procedures.
There are a lot of discussions in the security industry about how to best handle vulnerability disclosures and patch issuance in commercial software. I thought this blog would be a good opportunity to have a high-level discussion about the various approaches to vulnerability disclosure throughout the industry and briefly introduce Oracle's practice in this area.
It is not a surprise to find that there is a wide range of opinions about what constitutes an appropriate policy for the disclosure of security vulnerabilities. Opinions really range between two extremes: full disclosure (typically favored in the open source community) to no disclosure at all!
Proponents of the full disclosure approach believe vulnerabilities should be disclosed as early as they are discovered. The problem with full immediate unrestricted disclosure is that it can lead to exposing vulnerable environments to attacks. Such attacks can potentially result in serious break-ins and catastrophic economic impacts as proven by the various malware oubreaks of the past few years.
The challenge for software vendors is that, in addition to having sound secure development practices, they need to disclose vulnerabilities and issue patches in order to make sure that their customers' environments remain secure. Yet, a vendor's disclosure of the existence of a security vulnerability in its product can also lead to undue level of attention by potential attackers. For example, recent events have shown again that, shortly after the disclosure of the existence of software vulnerabilities in conjunction with the release of the appropriate security patches, exploit codes were available for download on the Internet and exploit methods were discussed on public hacking sites. One shouldn't be surprised that attack codes are created even when the vendor of the affected solution has addressed the existence of the vulnerability by issuing a patch. This is because attackers are very aware that a significant amount of time can exist between the availability of a security patch and its application by users. This "time to patch" delay is made worse in large desktop environments, or when the patch has to be applied against a business-critical server application.
What would happen if a vulnerability disclosure took place before a patch or workaround was available?
Early disclosure (prior to patch availability) provides attackers with the ability to quickly develop exploits while the systems are most vulnerable because a patch or workaround is not available. In other words, the early disclosure of a exploitable vulnerability would amount to providing malicious attackers a technical opportunity and much of the required knowledge to execute attacks with a high probability of success.