Ethics of Full Disclosure of Security Holes
Security breaches are making big headlines nowadays, and Microsoft is leading the charge. Its flagship operating systems and office suite are so bulky and complex, that it is impossible to be bug-free. The system administrators (the white hats) are up to their noses plugging all the holes from super hackers (the black hats). Yet they are also facing attack from another front – those that post vulnerabilities on the internet (the gray hats).
The gray hats are hackers that find security vulnerabilities and post them on the internet, forcing system administrators to patch up the holes. Usually, they inform the vendor ahead of time. Then, if they deem the company is not taking them seriously, and malicious hackers will exploit the threat, they post it on a forum. Though acting in good faith, the ethics of full disclosure of security holes are in debate, including: how full disclosure can cause more harm then good, how long vendors should be allowed to fix the problem, and liabilities for posting on the internet.
Issue 1: Full disclosure of security-related information can inflict more damage than good. You are showing people how to break into systems.
The debate about vulnerability-disclosure policies involves two main parties. Researchers at security companies say they want to get their latest findings out quickly to hasten software makers' response to bugs. Software makers, on the other hand, say they aren't given enough time to deal with a problem, and that publicizing it simply alerts malicious hackers to an opportunity.
There are super hackers out there who find security vulnerabilities, then write a script up on the internet, with one or two lines of code missing (he hasn’t violated anything any laws). Then an amateur comes across it and wants to test it out. He compiles the code and unleashes the virus, and suddenly he is responsible. Scott Culp, manager for Microsoft's security response center, called information posted from some companies and independent security consultants as "information anarchy."
"It's high time the security community stopped providing the blueprints for building these weapons," And it's high time that computer users insisted that the security community live up to its obligation to protect them." 5
Marcus Ranum, CEO of security software vendor Network Flight Recorder Inc., agreed that posting security flaws do not work. Why isn’t the state of security improving then? These “rock throwing” incidents are just for pride, and to attack against large corporations like Microsoft. He says the gray hats are acting irresponsibly, destroying code that works, and is not making valuable contributions for the betterment of society. “The Huns didn't know how to build Rome; they just knew how to sack it," he said. "Just show us that you have useful stuff [instead of] destroying other people's stuff. 1 It would be better if they put their...