Well, the Echelon One folks are certainly gearing up to be a force to reckon with in the security space. Scott Blake and David Mortman, two sharp guys, outline three reasons why they believe disclosure is beneficial (and I respond):
First, vulnerabilities in the public domain have little to no economic value to actors willing to pay to suppress the information.
It is not clear to me how this tautology is meaningful in the context of the issue, unless suppressing the information is an unwanted outcome. Given that the entire position is about disclosure, I interpret this reason as essentially saying disclosure is good because suppression is bad. But we need the reason why suppression is bad.
Second, although vendors should always be given a chance to respond to vulnerability information before it is publicized, the expectation that disclosure will inevitably occur is an essential economic incentive that pushes vendors to build more secure technology.
I don’t deny the power of blackmail. I was just reading today an opinion that suggests it was used against Apple ("Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded …"). But non-disclosure (actually, non-discovery) is much less expensive and would accomplish the same goal. In addition, we never set a benchmark for "secure enough" which is a real problem – if "more secure" only means fixing every new vulnerability as it is found, the end goal is a moving target that provides no comfort at all – you can never be sure if/when you are done. Even worse, you can’t tell whether you have surpassed the law of diminishing returns. In any case, we are much better off perfecting the alternative protection strategies that don’t rely on this model.
Third, and perhaps counter-intuitively, enterprises are less at risk from the exploitation of vulnerabilities that are publicly known than from those that are held in secret.
This is simply, and provably, false. Unless the risk in question is unrelated to exploits/incidents. And even if it were true, there is a problem with the allocation of resources – enterprises spend much more time on the former vulns and not the latter ones.
Scott, David – your thoughts?
Got to agree with you here. A number of people are doing research on how many zero-day exploits are out there on random websites. I wish I had the stats to refute the Echelon One guys. I wish they would actually offer up some evidence on this point so as to make it more than pure opinion.
Hi Pete! I’m glad the abstract of our research paper caught your eye. There is, of course, more detail and evidence in the paper itself, which is available to our subscribers. However, I’ll summarize somewhat less briefly than the abstract.
On the first point, I think you’ve missed what we’re saying. You have to consider who the actors are who are willing to pay to suppress vulnerability information. While there are many people who want to suppress, there are demonstrably very few will to pay for the suppression. They are, almost entirely, the bad guys. I think you’ll agree that taking vulnerabilities out of the hands of the bad guys is a good idea.
Second, the history of vulnerability repair is very clear on this point. Prior to the wonderful world we have reached today, precious few software makers would fix even the most egregious flaws without, as you put it, “blackmail” to move them along. We also recognize that this lever to move vendors can be and has been misused, sometimes more than occasionally. We don’t propose to solve all the problems here, merely that the balance of factors tips in favor of disclosure.
Our final point is somewhat more anecdotal, but is based on direct experience in large enterprise security operations. I’m curious about your purported “proof.” I think you may be falling into a common trap of thinking that the number of incidents and the visibility of incidents is interchangeable with rigorous calculation of risk. For the latter, we need to understand the true costs of incidents in business terms and there are many examples of very serious incidents that have never been publicly disclosed, the prevention of which would trump many times over any of the big public events like worm outbreaks. These incidents increasingly use previously unknown vulnerabilities.