Irresponsible disclosure? That’s a big fat zero

Digital zeroBrian Krebs has published an interesting interview on his KrebsOnSecurity blog with Evgeny Legerov, the founder of Russian security firm Intevydis.

In the interview Legerov reveals that he plans to take the controversial step of releasing details of previously undocumented zero-day vulnerabilities in several widely-used software products, as he is fed up with software vendors not taking the security holes seriously:

"After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called 'responsible disclosure' policy," Legerov said. For example, he said, "there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor."

I can understand Legerov’s frustration but I think he’s wrong to release information about unpatched vulnerabilities. Such an approach may inevitably lead to innocent computer users finding their systems compromised by hackers exploiting the zero-day vulnerabilities before a patch is available.

What I think Legerov has failed to realise is that there is another way to get vulnerabilities fixed, whilst still behaving responsibly.

If a software vendor has failed to respond in an appropriate time to a vulnerability that exists in its shipping code then you don’t have to go public with details of the security hole. Instead, you could use the power of the media to your advantage.

Rather than posting detailed specifics of how to exploit the vulnerability on the internet, work with a friendly journalist. Demonstrate the security hole to a journalist, perhaps even make a video showing the problem (but *without* giving away details of how anyone else could replicate the issue), and rant as loud and long as you like about how frustrated you are with the software vendor.

It will make a great news story – and that will pressure the vendor to take the necessary steps.

Irresponsibly disclosing details of vulnerabilities is effectively putting a gun against the head of a software vendor, but risks shooting innocent users too. If you’ve found a serious vulnerability then a security journalist will be happy to discuss it, publicise it with their readers, and put pressure on the vendor to take appropriate action.

* Image source: Ferran Nogués’ Flickr photostream (Creative Commons)