[VIM] "Irresponsible Disclosure"
jericho at attrition.org
Thu Sep 10 00:10:30 UTC 2009
Computer Academic Underground
All the rage these days seems to be practicing the so-called "Responsible
Disclosure" route of vulnerability disclosure, wherein Vendors are
hand-held through the process of being notified of their bugs, spoon-fed
the vulnerability information, and allowed months and months of time for
them to create, test, and release a patch.
We think that's bullshit. We don't have the time, nor the desire, to hold
a Vendor's hand during the process of fixing their crappy product.
Full-Disclosure, hereafter referred to as "Irresponsible Disclosure",
specifically to mock the existence of this other sluggish and
resource-intensive method of vulnerability disclosure which has been
brought to the security research community and branded as "Responsible
Disclosure" by the very Vendors that have the most face to lose, is the
official policy of the Computer Academic Underground.
Irresponsible Disclosure has been proved time and time again to not only
allow consumers with vulnerable products to immediately test those
products to identify if they are in fact vulnerable, but has also been
proved to cause Vendors to develop and release patches much more
diligently. It is folly to assume that because a vulnerability has not
been publicly disclosed it is not being exploited in the wild. By causing
Vendors to patch more quickly, the window of opportunity for exploitation
is drastically shortened, and therefore is better serving those who are
vulnerable rather than the vendors who introduced the vulnerability to the
consumers in the first place. Responsible Disclosure is analogous to Gun
Law; When you take away the guns from law-abiding people, the only ones
with guns are the criminals. Such is the case for vulnerability
information; When you don't allow the public to have the information, the
only ones who likely have it are the malicious folk who want to keep it
private and use it for nefarious purposes.
In all seriousness though, the Computer Academic Underground has no
official disclosure policy. Each member of CAU makes their own decisions
about what and when to disclose, made on a case-by-case basis regarding
individual vulnerabilities, the impact they pose, and the consumers and
More information about the VIM