Can You Really Control Information? –
Adopting Nondisclosure Policies
In a vendor product company, the major flaw when thinking of nondisclosure is
the belief that someone can control the information.There is no way to assure
that the selected individuals can be trusted not to use privileged vulnerability
information for their own gain. Furthermore, some of the individuals employed
by vendors and security firms have questionable histories. Can you really trust
reformed individuals with past careers as black hats or grey hats to act responsibly
with privileged vulnerability information?
Conservative Adopting a policy of nondisclosure has several advantages.
A nondisclosure empowers management and IT personnel with control
over information within the organization. In addition, in the case of disclosures,
it gives them control over vulnerability information, which will keep
the wrong information out of the hands of black hats and other malicious
people or organizations. Failing to disclose system vulnerabilities keeps the
company reputation intact.The real advantage of nondisclosure is to the
vendor alone. If a vendor can keep the vulnerability a secret while it is
fixed, they can avoid any negative press that may be generated.
Liberal A policy of vulnerability nondisclosure has more disadvantages
than advantages.There is no way to assure that the black hat community or
other malicious attackers does not already possess the vulnerability information
or that they
will not discover
it on their own
before
a public
disclosure
is
made.
There are four primary reasons why a policy of vulnerability
nondisclosure is a really bad idea.
www.syngress.com
290_Ethics_IT_03.qxd  5/10/04  11:40 AM  Page 81
First, if vulnerability information is leaked or simultaneously discovered,
the black hat community has an opportunity to actively exploit the vulnerability
without public
knowledge.
Systems will be left exposed during the
time it takes the software vendor to patch the product.
Second, since the vulnerability is not disclosed publicly, administrators
do not have the opportunity to protect vulnerable systems. If a vendor fails
to disclose serious system vulnerabilities, their clients will determine they
are unethical and even dishonest.
Third, because there is no negative press for the software vendor, they
are not motivated to repair the flaw in a timely manner.
Fourth, it is very difficult to clearly define the trusted selection of individuals
with access to sensitive
vulnerability information.
Because of these
reasons, a policy of nondisclosure is obviously less than desirable.
SUMMARY
Vulnerability Disclosure • Chapter 3 81
Vulnerability nondisclosure in most cases is a bad idea for all of the reasons
mentioned in the liberal point of view.
Failing
to disclose system
flaws
tends to cause more harm than good. However,
from the point of
view
of the vendor,
nondisclosure may be useful in some circumstances
when
you can quickly remediate a flaw thus not incurring any negative
publicity
for the vendor.