Questions On Vulnerability Disclosures And Information About A Computer Security Problem

Decent Essays
Contemplation Assignment
Vulnerability Disclosures
As cited from Wikipedia, ”Vulnerability disclosure is the practice of publishing information about a computer security problem, and a type of policy that stipulates guidelines for doing so”. Who benefits from the security problems? First thought will be attackers. But it is not so. There is also a community of professionals in the security industry earning a living by reporting security flaws.
But a question still arises why the pen testers are hesitant to let the vendor know of the potential vulnerabilities in the product. The reason is simple – Intimidating legal consequences. There have been situations where bug hunters have been reprimanded and sentenced to prison for identity theft
…show more content…
But the negatives overrun the positives, there can be chances the vendor itself might have detected the flaw and is working on it discreetly. There are chances that the found exploit is not bad as expected but may be leveraged to a harmful one by the black hat community. Also it increases the chances of a widespread attack on the user community by black hats. The patching process is not simple and takes lots of effort ad time. The new patch/workaround should be tested for days or even months before it is released. All these while the non-savvy user community which is at large will not able to protect themselves from the attacks.
2) Co-ordinated Disclosure Policy: Here the vendor and the researcher work together until the bug is fixed, after which only the vulnerability is disclosed. This may be through a trusted third party. The control of the whole vulnerability disclosure lies with the vendor. This seems to be more responsible as the information is passed on to a wider audience only after the fix is made and the attacker community remains unknown to the exploit while the fix is being developed .So the user community is not at a risk as opposed to the full disclosure. The advantage is that the researcher gets the credit for the work and the fix occurs without putting anybody at risk.
Get Access