Limited Disclosure
Limited disclosure is similar to nondisclosure because the sharing of vulnerability
information occurs within a small group of people.The unique difference is that
nondisclosure occurs within the organization and limited disclosure may include
individuals outside of the organization at the organization’s discrepancy. During
the initial phases of limited disclosure, access to the full details of the vulnerability
is granted to a small group of individuals.This group consists potentially of
three different parties, the discloser, the vendor, and possibly a third-party coordinator.
Unlike full disclosure, the limited disclosure process does not provide the
full technical details of the vulnerability at the time of final disclosure. Release of
those details occurs only when the vendor fixes the system weaknesses.The
reason for this limit on technical data is advocates of limited disclosure claim that
users, programmers, and administrators do not require detailed technical information
in order to patch or defend systems. In addition, fans of limited disclosure
assert that the disclosure of full technical information only assists the black hat
community.
There are several problems with the concept of limited disclosure. As with
nondisclosure, we face the dilemma of whom to trust with the initial vulnerability
information. It will be very difficult to enforce ethical behavior among
those that may stand to gain from the disclosure or exploitation of an unknown
vulnerability.
www.syngress.com
Vulnerability Disclosure • Chapter 3 91
Without mandatory public disclosure, there is nothing to motivate the
vendor to develop a timely fix. Since the vendor can delay the final disclosure
until they fix the flaw, delaying final public disclosure ultimately delays the fix
indefinitely.
Finally, since the amount of technical information in the initial disclosure is
greatly limited, customers may not be able to take early defensive actions.
IDS Signatures and Defensive
Measures – Should You Provide Details?
You are a systems administrator and hear a rumor that there is a problem with
one of your administration tools.The vendor has disclosed nothing to you thus
far.Without detailed technical information, IDS signatures cannot be created to
counter this problem.You know that your detection systems will not be effective
because the development of tools to detect vulnerable systems and test vendor
patches will be impossible to develop since the information about the vulnerability
is not revealed.With all of these facts in play, do you as a system administrator
feel that a company has the ethical right to refuse to provide disclosure on
the technical details of their product’s weaknesses?
Conservative From the systems administrator point of view it is unethical
to delay or avoid disclosing product vulnerabilities.The discovery of a vulnerability
already actively exploiting systems is a no-brainer.The weakness must
go through a full disclosure so that they system administrators may create IDS
signatures to counter the problem and update the corresponding defensive
technology required. In these situations, systems exposure and exploitation are
disastrous during the period of time while the vendor delays disclosure until
they are ready to release a patch. Even if publishing of a final disclosure occurs
before the vendor releases a patch, administrators still lack the sufficient information
required to deploy the necessary countermeasures. Finally, without a
complete understanding of the structure of the flaw, the programming team
for the vendor product will continue to make similar mistakes when coding
future products. All of these reasons are solid argument for the necessity of full
disclosures.
Liberal Even though failing to disclose information may be harmful to
clients, vendors are not ethically required to perform a full disclosure.
Limited disclosure is not unethical. A limited disclosure protects vendors’
and clients’ sensitive information from falling into the wrong hands.
www.syngress.com
92 Chapter 3 • Vulnerability Disclosure
SUMMARY
This issue is a principal versus practical discussion. From the point of view
of system administrators, in most cases full disclosures are necessary for
them to adequately perform their services for all of the reasons mentioned.
However, some people may still not feel that vendors are ethically
required to produce full disclosures on product vulnerabilities, and that
those disclosures feed the black hat community and script kiddies.