Rock on.

In the computer security community, there is an everlasting debate between "responsible disclosure" and "full disclosure" when reporting security vulnerabilities. "Responsible disclosure" is the name given to the method of disclosure favored by most software vendors: vulnerabilities are disclosed only to the vendor of the affected software code, theoretically allowing the vendor to fix the code and distribute the patch. "Full disclosure" is the name given to the other method: vulnerabilities are disclosed to all, so that everyone affected by the vulnerabilities can take action to protect their systems until the vendor releases a patch.

Microsoft's products are still widely used, making them very lucrative targets to the lawless variety of Internet hackers. The more clever among them have unknown vulnerabilities in Microsoft's products hidden away, with the next one ready to deploy once those known to the public are effectively patched. This, however, is information that can only be anecdotally verified due to its very nature. It can't be verified to an extent that would satisfy a major software vendor like Microsoft.

This leaves law-abiding Internet hackers and security researchers in a very difficult position when they discover unpatched vulnerabilities.

Advocates of "responsible disclosure" assume that Internet criminals haven't discovered the vulnerability that needs to be disclosed, so the best approach is to report the vulnerability to the vendor privately, then leave it to the vendor to write, test, and deploy a patch. They argue that disclosing a previously undisclosed vulnerability to the public would place all the information needed to exploit that vulnerability in the hands of criminals, who will then go on to do just that until system administrators can install a patch when the vendor releases one. And this argument is, on the surface, correct.

Advocates of "full disclosure" assume that Internet criminals are just as likely, if not moreso, to discover a previously undisclosed vulnerability as law-abiding Internet researchers. This is correct, for there are a large number of highly intelligent people on both sides of the law, and greed and fear are both powerful motivators for those on the wrong side of the law. These two motivators together drive the lawless not only to craft ways to exploit vulnerabilities in ways that make detection difficult, but to bide their time and wait until the right moment to deploy or strike.

Advocates of "full disclosure" also counter the "responsible disclosure" point with the fact that software vendors are not motivated to patch vulnerabilities unless their bottom line is immediately threatened by the vulnerability. Vendors, including Microsoft, have been known to sit on "responsibly disclosed" vulnerabilities for years without patching them, only to be caught with their virtual pants down when criminals decide to exploit those vulnerabilities in ways that attract media attention. Microsoft have even sat on a fully disclosed vulnerability for eight years before it finally gained enough media attention for them to patch it. If they're that slow to move on fully disclosed vulnerabilities, then how much more slowly do they move on "responsibly disclosed" vulnerabilities that never see the light of day?

They always seem to patch vulnerabilities quickly, within a few days (or even hours) of the embarrassment, coming to the rescue of their customers like a knight in shining armor with a brilliant new lance to slay the Internet dragon.

But the one among the law-abiding credited with discovering the vulnerability is often slain in the press as a witch alongside the dragon that is the vulnerability reported, as if he summoned the dragon terrorizing the Internet into existence himself.

Today's witch being slain in the press is a Google employee named Tavis Ormandy. He is the law-abiding hacker who discovered the bug in the Help and Support Center allowing remote code execution that Microsoft finally acknowledged on June 10. He is being vilified because he disclosed the vulnerability in a post to the Full Disclosure mailing list.

In that post, he went into detail about the exact nature of the vulnerability. For that, he's been attacked in the media.

In that post, he went on to give detailed instructions on how to mitigate this vulnerability, how to render it null and void, and he even supplied a patch easy for programmers to understand.

For that post, he's being criticized as an example of why "full disclosure" is wrong. But full disclosure is not wrong. Full disclosure was the only option left to him in getting Microsoft to move against this pretty large, fundamental, and surprisingly easy to patch hole. He's being blasted for not following the principles of "responsible disclosure" by giving Microsoft "only" five days to react.

Only?

Microsoft were awful quick to move against the vulnerability once it hit the fan, posting a detailed advisory the very same day.

It hit the fan because many, many days after full disclosure, malicious exploits against this vulnerability showed up in the wild.  It took five days, the same length of time he gave Microsoft, meaning ten full days after he reported it to Microsoft initially.

And what happened during the five-day window he gave Microsoft in his act of "responsible disclosure"? Well...  "Those five days were spent trying to negotiate a fix within 60 days." Sixty days. Two entire months, in which this vulnerability's existence went from maybe known to known. (Only a naive fool would think vulnerabilities in popular software products are ever completely unknown to anyone.) That, to many security researchers on both sides of the full disclosure debate, is unacceptable.

But for those who subscribe to "responsible disclosure," that unacceptable non-solution is what they get, far more often than not.

Those who subscribe to "full disclosure" don't take as an answer being told, as W. C. Fields might put it, "Go away, kid, you bother me."

They bother software vendors for a very important reason: It's the only way they seem to listen to what matters.

Keep on making our software safer, Full Disclosure. Thanks for doing the right thing, even when it's extremely unpopular.

Rock on.

1. Critical and unpatched, Windows XP bug is under attack - The Register, 2010-06-15.
2. Researcher burned at the stake for vulnerability disclosure - The Tech Herald, 2010-06-16.
3. Responsible disclosure and its irresponsible advocates - IT Security, TechRepublic, 2010-06-23.
4. Microsoft finally catches the eight year bug - IT Security, TechRepublic, 2008-11-13.
5. Microsoft confirms 17-year-old Windows Bug - Computerworld, 2010-01-21.
6. Re: Hyenas of the Security Industry - Marsh Ray replying to Brad Spengler on comp.security.misc, via DailyDave, via Gmane, 2010-06-21.