If Tyranny and Oppression come to this land, it will be in the guise of fighting a foreign enemy
James Madison (American 4th US President (1809-17), and one of the founding fathers of his country. 1751-1836)

Thursday, January 11, 2007

Responsibility when disclosing Microsoft Vulnerabilities...hrm...

OK...I stumbled across this post at CSO via OSNews entitled "Microsoft: Responsible Vulnerability Disclosure Protects Users" that talks about, as the title suggests or puts implicitly, Microsoft's concern about "Responsible Disclosure Of Vulnerabilities". I intentionally left off the concern for I doubt this is the source of the concern. Microsoft is more concerned about how public disclosure will make it's wonderful applications and OS's look, however I will ask what is the alternative...Linux, which is not quite ready for the average user just yet...IMO. Anywho...I am all about disclosing vulnerabilities in any software in a responsible manner...let the developer know about it...who knows...besides accolades you might get paid, but let the developer have a chance at it. Hrm...or can more be made by selling what you have found for guaranteed bucks as read in the article "Windows Vulnerabilities for Sale" and many others I am sure, but it is clear that money speaks volumes over what might be the "right" thing to do for some. On the other hand you have those people that do follow the "right" path and disclose any vulnerabilities that they may have found, but in being responsible in reporting what they have found it seems to fall on what is perceived to be deaf ears. How many times have you read on a vulnerability disclosure to the public...that made it clear the only reason they decided to go public is because Microsoft or another developer has done nothing to fix the hole in their software or keep those that find the holes in the loop on what is being done to fix a hole if it takes awhile.

I would venture to guess that money speaks volumes in the end for those non-professional types that can see a payday when offered $4,000 to $50,000 for a hole into a Microsoft product or other software. Cha-ching! While it isn't "right" it is happening...and to stop it or slow it...why shouldn't Microsoft or others...offer some monetary reimbursement for these holes that are discovered by those not in the company, which actually leads to another situation or many "inside" folks to Microsoft or other development companies are selling their knowledge of holes to the black market. That just sucks, however that is just a possibility and not proven.

In the end...companies like Microsoft need to make turning in vulnerabilities more rewarding for those that find holes in the software and just maybe...there will be a turn in how many of those vulnerabilities find their way to the underground...traded freely on IRC, private servers, forums, BBS's, and so on.

Why not give them a Ferrari Laptop with Vista! :P

CSO has another article entitled "The Vulnerability Disclosure Game: Are We More Secure?", which is another good article to read on this topic.

No comments: