Zalewski is not ambivalent. His disclosure policy is targeted.

2) avoiding helping the bad guys is one of many (sometimes competing) goals… it is not the only goal a researcher needs to concern him/herself with, but it is one s/he should keep in mind…

3) i don’t pretend to know what the bad guys know on their own, i’m only speaking about the information that supposed good guys drop in their laps… you’re calling him an ambivalent guy (aka greyhat) but that contradicts the very notion of defending him… if what he did was actually good instead of bad then he was acting as a good guy… somehow though, exposing explorer users to greater risk doesn’t seem particularly good to me…

4) the fact that responsible disclosure hopes to close the window of exposure prior to public release of the information makes the opening of the window of exposure prior to public release of the information a given…

5) i support responsible disclosure… try to work with the vendor first, if that fails then release the info publicly… once a fix has been created then the info should also be released publicly so that the public knows why it should apply the fix…

6) the issue of vulnerabilities that the bad guys know about and we don’t can be addressed by a number of different means… one is to try and find those vulnerabilities independently (what’s so special about bad guys’s abilities to find vulnerabilities?)… another is to try to detect active exploitation of those vulnerabilities generically (honeypots, various autonomous agents, etc)… still another is to develop assets in the bad guy camp who’ll leak the info to you…

7) full disclosure prior to development of a fix is a last resort measure for trying to force the vendor to address the security concerns for the vulnerability in question… it places market pressure on the vendor by exposing their flaws to public scrutiny, but it also exposes their customers to increased risk…

There’s a great post by Pete Lindstrom over at Spire today about Michal Zalewski and his recent disclosure of a zero-day IE vulnerability without notification to Microsoft. Pete takes the “devils advocate” position by saying that Zalewski’s actions are…

1) If the time delay supported by “responsible disclosure” isn’t arbitrary, what is the mathematical proof behind [whatever the time delay happens to be]?

2) If good guys wanted to prevent (themselves?) from helping the bad guys, they wouldn’t disclose at all, as you imply in your comments about how the bad guys likely didn’t know about Zalewski’s vuln and how the window of exposure begins at disclosure.

3) You didn’t actually note that the bad guys likely didn’t know about Zalewski’s vuln, but I know it and you know it – the chance that there was some sort of overlap between ambivalent guy research and bad guy research is very, very low.

4) The “window of exposure” for this vulnerability started when it was coded and delivered to customers, not when it was disclosed.

5) It appears you were happier before this disclosure – do you support complete secrecy like I do?

6) What are you doing about all those other vulnerabilities the bad guys currently know about and you (we) don’t?

7) What exactly *is* disclosure a “last resort” to?

Btw, I like your blog (http://anti-virus-rants.blogspot.com).

Thanks for the comments,

Pete

sure it’s possible that the bad guys already knew about the vulnerability, but it’s also possible that they didn’t… by trying to work with microsoft first (with full disclosure as fall back position) the window of exposure for this vulnerability could potentially have been closed before details were given…

by practicing full disclosure before a fix is created the researcher makes the bad guys aware of a new and still effective avenue of attack and thereby increases the risk that they’ll be able to use it against people… because of those costs this kind of disclosure should only be practiced as a last resort…