If Tyranny and Oppression come to this land, it will be in the guise of fighting a foreign enemy
James Madison (American 4th US President (1809-17), and one of the founding fathers of his country. 1751-1836)

Tuesday, April 17, 2007

How much information is too much information when reporting flaws

I don't know, but that is an interesting dilemma. Whereas software companies want to do the responsible thing and let their customers know of a flaw, without disclosing the flaw itself, and provide a workaround until a patch is available, but it seems that there are a few people out there who take the workaround information and figure out what the flaw actually is. Outside of those that intend to do good with the exploit, pen testers and such, you still have that group of people that intend to do harm with an exploit. So this leaves what may have been an unnoticed flaw, until it was reported as such, a real security hazard for those that actually use said vulnerable software. Now they HAVE to do the workaround and the patch as soon as it is available, because X software company published in essence a "how to" expose' on it's own software.

It is a vicious circle this damn responsible disclosure, but I would take the software companies letting this information being known and speeding up the process of patching versus having something in the wild that is widely used but still an unknown hole.

Where do you stand on this debate?

- "MS Giving Exploit Writers Clues To Flaws" @ slashdot
- "Microsoft’s advisories giving clues to hackers" @ ZDNet blogs

No comments: