LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Disclosure of vulnerabilities

Disclosure of vulnerabilities

Posted Apr 1, 2006 8:54 UTC (Sat) by man_ls (subscriber, #15091)
In reply to: Ethical behaviour by Shanep
Parent article: Interview: Theo de Raadt of OpenBSD (NewsForge)

Responsible disclosure does not work that way. Suppose that A knows that B's software has a vulnerability. A notifies B in advance and, some time later, A goes public. The amount of advance time is under discussion; two weeks to a month seems reasonable. For example: you find a vulnerability in Mac OS X, you notify Microsoft and wait for a month. Apple has time to patch the system and to distribute the patch; then you can go public.

Now let us suppose you find a vulnerability in OpenSSH. You notify the OpenSSH team at security@openssh.org (or whatever) and give them a month. But you know nothing of Sun's own SunSSH; however de Raadt does, and he knows that the vulnerable code is in Sun's version too. So de Raadt knows that some software (SunSSH) has a vulnerability, and should in the interest of responsible disclosure warn them in advance. However he is mad at them for not inviting him to their sleep-overs and he does not warn Sun; when the bug goes public, Sun's software is exposed with no advance warning.

So you see that responsible disclosure is orthogonal from full disclosure. Both are not a matter of law, but of ethics; the latter says "let users know what is wrong with their software", the former says "let developers patch their software before the black hats get the information". A crucial security provider should know the difference.

(Log in to post comments)

Disclosure of vulnerabilities

Posted Apr 1, 2006 12:30 UTC (Sat) by Shanep (guest, #36879) [Link]

Sorry, but if want to talk about ethics, then where are Sun and IBM's ethics? Theo refusing to give them a heads up on security issues, is hardly worse than Sun and IBM, with all their money, refusing to give a cent but expecting support for free. If you get any at all, it is a damn temporary privilege.

Sun and the rest need to look at the part of the BSD licence which disclaims all warranties. Sure the code is as free as it gets. But don't expect support at all, much less for free.

I would love to see Theo charge a premium for responsible disclosure.

Disclosure of vulnerabilities

Posted Apr 1, 2006 13:40 UTC (Sat) by man_ls (subscriber, #15091) [Link]

That is precisely the point. Of course Sun is not behaving ethically. But seeing the other party is not behaving ethically is no excuse for behaving unethically yourself.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds