LWN.net Logo

Advertisement

Writers Wanted

Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Firefox buffer overflowand full disclosure

Firefox buffer overflowand full disclosure

Posted Sep 15, 2005 19:49 UTC (Thu) by Duncan (guest, #6647)
In reply to: Firefox buffer overflow and full disclosure by RobSeace
Parent article: Firefox buffer overflow and full disclosure

Very well stated.

If I find a security issue, that info is mine. If I'm a blackhat, I can
exploit it myself, or sell it to someone else to exploit. It would only
be due to my /not/ being a blackhat, only due to my sense of ethics, that
I have any reason at all to make the information known, either publicly or
to the author directly, rather than by a zero-day in-the-wild exploit.

In such a situation, the author and users should be /thanking/ the
discoverer for making such problems known, /however/ they chose to do so,
rather than taking illicit gain from the problem, making it known only
with a reverse engineering of the already deployed exploit. We (the
authors and users) are already in their debt, that they considered our
welfare above the possible illicit gains. Additionally, as is commonly
pointed out, there's nothing saying someone else isn't already taking
illicit advantage of the same security flaw. Thus, it makes no sense for
us to be condemning them for /how/ they made the problem public, when we
really /ought/ to be /thanking/ them for the disclosure in the first
place. As you stated, it's not full disclosure that's the problem, but
rather, the lack thereof.

Sure, I probably would have given the devs a bit more notice, say, a week
or two, before going public. I'd have likely stated the date I intended
to go public on the original bug filing: "I will be making this public a
week from today." or the like. That's just the way I am. However, what
I'd do in no way obligates others to do likewise, and it's just as true
that the discoverer is doing the author and the public a favor by turning
it in rather than putting it to illicit use, regardless of /how/ long he
gives the authors to fix it, even if that's /zero/ time. The timing is
entirely up to the discoverer and nothing can change the fact that by
going public with the discovery, he's doing the public a BIG favor.

Duncan

(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds