I guess every time I read misguided commentary about vulnerabilities, I should be allowed to respond, since I am not in the majority (yet ). In this case, you can tell Jason really supports my viewpoint, and I’ll show you where and why.
The value of vulnerabilities
An unfortunate title – Freudian slip? Happens to the best of us sometimes.
There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn’t exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?
[snip lots of stuff on just how cool vulnerability research is. Gotta like a guy with passion.]
Where do vulnerabilities come from?
[...]Most public vulnerabilities are disclosed by a security researcher, and more often than not these are on a major security-related mailing list such as Bugtraq.
Now, for whatever reason, the public disclosure of a vulnerability is often considered to coincide with its very existence. Even the often-used term "zero-day" seems to imply that an undisclosed vulnerability doesn’t really exist yet. This belief is a mistake that too many people make. It’s as if people are under the impression that these vulnerabilities don’t actually pose any sort of threat until they’re publicly disclosed.
[...]There are no guarantees, and therefore I think it would be pretty naive to believe that the person reporting the issue is the only one aware of its existence. That in itself is pretty frightening if you think about it.
But should we then expect security researchers to audit commercial software, which is sold for profit, and to do so for free?
If there are ethical issues in the sale of vulnerabilities, what’s ethical about selling very insecure software in the first place? While its impossible to write software without vulnerabilities, it’s pretty obvious that some companies don’t even try to create secure products.
Why we need responsible, public disclosure
Personally, I believe that vulnerabilities pose a real threat long before they are publicly disclosed.
The notion that publicly disclosing these issues puts people at risk – long after the vendor has been notified, and months or even years have passed without any sort of public notification – seems ignorant and self-serving.
This view also seems like nothing more than an attempt to divert the blame for insecure software and a poor remediation process away from where it belongs: those who created the software. The bottom line is that after a vulnerability is discovered and reported to a vendor, the systems are still vulnerable to the issue, regardless of whether or not someone decides to make the information public.
And, to clarify, I’m not saying that posting an exploit to Bugtraq before even contacting a vendor (or perhaps, just a few hours after contacting them) is responsible. It’s not. I’m also not saying that it doesn’t put people at risk.
Ultimately, I believe that security researchers are doing us all a favor. That’s something that they deserve to be rewarded for. While responsible disclosure is important, there are also limitations to reasonable vendor response times – because people are at risk long before the public disclosure. In the end, security researchers aren’t the ones creating the vulnerabilities, they’re just the ones finding them.