[VIM] "Irresponsible Disclosure"

security curmudgeon jericho at attrition.org
Thu Sep 10 00:10:30 UTC 2009


Computer Academic Underground
Disclosure Policy

"Irresponsible Disclosure"

All the rage these days seems to be practicing the so-called "Responsible 
Disclosure" route of vulnerability disclosure, wherein Vendors are 
hand-held through the process of being notified of their bugs, spoon-fed 
the vulnerability information, and allowed months and months of time for 
them to create, test, and release a patch.

We think that's bullshit. We don't have the time, nor the desire, to hold 
a Vendor's hand during the process of fixing their crappy product.

Full-Disclosure, hereafter referred to as "Irresponsible Disclosure", 
specifically to mock the existence of this other sluggish and 
resource-intensive method of vulnerability disclosure which has been 
brought to the security research community and branded as "Responsible 
Disclosure" by the very Vendors that have the most face to lose, is the 
official policy of the Computer Academic Underground.

Irresponsible Disclosure has been proved time and time again to not only 
allow consumers with vulnerable products to immediately test those 
products to identify if they are in fact vulnerable, but has also been 
proved to cause Vendors to develop and release patches much more 
diligently. It is folly to assume that because a vulnerability has not 
been publicly disclosed it is not being exploited in the wild. By causing 
Vendors to patch more quickly, the window of opportunity for exploitation 
is drastically shortened, and therefore is better serving those who are 
vulnerable rather than the vendors who introduced the vulnerability to the 
consumers in the first place. Responsible Disclosure is analogous to Gun 
Law; When you take away the guns from law-abiding people, the only ones 
with guns are the criminals. Such is the case for vulnerability 
information; When you don't allow the public to have the information, the 
only ones who likely have it are the malicious folk who want to keep it 
private and use it for nefarious purposes.

In all seriousness though, the Computer Academic Underground has no 
official disclosure policy. Each member of CAU makes their own decisions 
about what and when to disclose, made on a case-by-case basis regarding 
individual vulnerabilities, the impact they pose, and the consumers and 
vendors involved.

More information about the VIM mailing list