[VIM] Responsible Disclosure Article

Heinbockel, Bill heinbockel at mitre.org
Thu Sep 14 10:33:52 EDT 2006

Continuing the discussion surrounding vulnerability disclosure
from the roundtable at Blackhat, Security Focus has an article
with feedback from vendors and some researchers (Litchfield, HDM).

"Disclosure survey" - Federico Biancuzzi

Generally, I agree with the comments of Michal Zalewski.
In an ideal world, responsible disclosure is the best route. However
for responsible disclosure to work, requires support from both the
researcher and the vendor.

My two biggest problems concerning practical responsible disclosure

1. Vendors need time to find, address, and fix the problem. During this
period all systems all vulnerable, which seems to be alright assuming
researcher is the only one who knows about the vulnerability. So, how
often do you think this assumption is false? Let's take the most recent
Apple advisory for QuickTime (APPLE-SA-2006-05-11) - for CVE-2006-1249
concerning the integer overflow in FlashPix images, Apple credits two
different, probably independent researchers. If two people reported to
Apple how can we be certain that no one else is already active

2. System administrators need information in order to secure and patch
their systems. With the most recent rash of Microsoft Office 0-days,
system admins can respond with notifying their users and blocking
attachments at the e-mail server. While this will not eliminate the
it will cut the chances of exploitation. Furthermore, when patching
systems, administrators need to know the patch details to determine
response. Is it critical and must be deployed immediately? Are we even
affected by this? In the case of Oracle CPUs, DBAs are left empty
Database regression testing is costly and could be reduced if the
kept up their end of responsible disclosures.

William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org

More information about the VIM mailing list