Full disclosure
|
|
- This article is about a policy of the security industry. For the journalism practice, see Full disclosure (journalism).
Full disclosure in computer security means to disclose all the details of a security problem which are known. It is also a philosophy of security management completely opposed to the idea of security through obscurity, and that is what this article discusses.
The issue of full disclosure is controversial, but not new: locksmiths were discussing full disclosure over a century ago.
| Contents |
Definition
Full disclosure requires that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it. The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. Fixes are produced faster because vendors and authors are forced to respond in order to save face. Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced.
In the realm of computer vulnerabilities, disclosure is often achieved via mailing lists such as Bugtraq and full disclosure by other means.
Various interpretations
Even among those who believe in disclosure there are differing policies about when, to whom, and how much to disclose.
Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. This philosophy is sometimes called "responsible disclosure".
In the case that a vendor is notified and a fix is not produced within a reasonable time, disclosure is generally made to the public. Opinions differ on what constitutes a reasonable time. Thirty days is typical, although the period could be a matter of hours. Internet Security Systems were widely criticised for allowing less than eight hours before disclosing details of a vulnerability in the Apache HTTP Server.
Limited disclosure, with full details going to a restricted community of developers and vendors, and only the existence the problem being released to the public, is another possible approach. Advocates of this approach also claim the term "responsible disclosure".
To address the controversy of disclosing harmful information to the general Internet community, including blackhats, Rain Forest Puppy developed the RFPolicy, which is an attempt to create a proper way to alert vendors to security problems in their products, and establish guidelines on what to do if the vendor fails to respond.
History
Full disclosure came to life after it became clear that the method employed by CERT did not work out as intended. The method was that vulnerabilities were reported to CERT, which would then inform the vendors. However, since the disclosures were private, some vendors took years to produce a fix or never produced a fix at all. In the meantime, the vulnerabilities were actively exploited by crackers. The tendency by software companies to ignore warnings and rely on crackers' ignorance of the problem became known as security through obscurity.
In response to CERT's failings, mailing lists and other avenues for full disclosure were established.
Controversy
Full disclosure can be controversial, as often these disclosures include code or executable tools to exploit the vulnerability. The argument against disclosure is that providing complete details or tools to malicious attackers, such as blackhats and script kiddies, allows them to take advantage of vulnerabilities more quickly and makes attacks more widespread. However, this argument assumes that without disclosure such tools and attacks would not have occurred. The advantage of disclosure is that whitehats will obtain the information, and that the vulnerability will be detected and patched more quickly.
See also
External links
- Full Disclosure Debate Bibliography - By Date (http://www.wildernesscoast.org/bib/disclosure-by-date.html)
- Full Disclosure and the Window of Exposure (http://www.schneier.com/crypto-gram-0009.html#1) from Bruce Schneier's Crypto-Gram, September 2000
- Full Disclosure (http://www.schneier.com/crypto-gram-0111.html#1) from Bruce Schneier's Crypto-Gram, November 2001
- Full-Disclosure mailing list (http://lists.grok.org.uk/mailman/listinfo/full-disclosure)
- Is it harmful to discuss security vulnerabilities? (http://www.crypto.com/hobbs.html)
- Matt Mecham: Why full disclosure is bad (http://ips2.blogs.com/matts_blog/2004/09/why_full_disclo.html)