Oracle and "Responsible Disclosure"
I’ve been writing about “responsible disclosure” for over a decade; here’s an essay from 2007. Basically, it’s a tacit agreement between researchers and software vendors. Researchers agree to withhold their work until software companies fix the vulnerabilities, and software vendors agree not to harass researchers and fix the vulnerabilities quickly.
When that agreement breaks down, things go bad quickly. This story is about a researcher who published an Oracle zero-day because Oracle has a history of harassing researchers and ignoring vulnerabilities.
Software vendors might not like responsible disclosure, but it’s the best solution we have. Making it illegal to publish vulnerabilities without the vendor’s consent means that they won’t get fixed quickly—and everyone will be less secure. It also means less security research.
This will become even more critical with software that affects the world in a direct physical manner, like cars and airplanes. Responsible disclosure makes us safer, but it only works if software vendors take the vulnerabilities seriously and fix them quickly. Without any regulations that enforce that, the threat of disclosure is the only incentive we can impose on software vendors.
Iggy • November 14, 2018 7:23 AM
Astonishingly, in America where our Constitution protects you from the government silencing you, if a big wallet hires a big lobbyist they can buy a law that makes it illegal to say bad, though accurate and truthful, things to the consuming public, even when such truth telling serves the naive end user who paid money for a safe product that doesn’t betray them. Such truth telling serves the software vendor too, in the final analysis. If a vendor builds a reputation for fixing flaws swiftly, then people like Schneier will crow about it and new customers show up.
But as we all know, profit makers seek guaranteed revenue streams at every turn. Not spending money is a guaranteed revenue pool.