Vulnerability Disclosure by Security
Research Companies – Should They Tell?
With greater frequency, security research companies receive criticism for disclosing
vulnerabilities for the sole purpose of generating favorable press coverage.The
media coverage a security company receives may mean substantial revenue in the
form of new or larger customer contracts. Because of this, the public is starting to
question the true motivation behind some of the vulnerability research and disclosure
organizations. In some cases, the disclosures of vulnerabilities by security firms
www.syngress.com
Vulnerability Disclosure • Chapter 3 87
are the result of intense stress testing of products.The likelihood of these vulnerabilities
coming to life outside of a falsely manufactured lab environment is small, if
not impossible. Should disclosure of vulnerabilities discovered in a lab under
unusual circumstances such as intensive stress testing be made available to the
public?
Conservative Publicizing vulnerability discoveries only helps hackers
and is not ethical behavior. If you apply the right type of pressure to nearly
any vendor product, you will find weaknesses. Real threats are the purpose
of full disclosures, not “what if ” scenarios.This is also an environment
where security companies can pick on certain vendors by stress testing only
their products.The scientific results are not conclusive enough to support
publicizing stress tests unless it is done by an impartial body of experts who
have nothing to gain from publishing such results.
Liberal Disclosing all data about systems the public uses is an effective tool
against malicious attack. Based on that data the clients determine if the
system weakness will ever occur in their production environment.
Publicizing system vulnerabilities under a stress test environment is an asset
to the IT community.
SUMMARY
Depending on the type of stress test, inaccuracy of advertising system
vulnerabilities may occur and unnecessarily tarnish the reputation of a
particular product or vendor solution, thus making this type of information
disclosure inaccurate. However, the more information a system
administrator has at their disposal the better they can protect the information
systems in their charge.
Ethical Duty to Warn
A person or business has a “duty to warn” if utilization of their product may
cause harm to the user.A business’ first obligation is to redesign the product or
apply necessary patches to eliminate the danger. If for some reason that cannot
happen, the person or business must provide other means to protect the user
from the danger associated with their product. If the problem still exists, they
www.syngress.com
88 Chapter 3 • Vulnerability Disclosure
must sufficiently warn the user about it. If a bug or vulnerability is open and
obvious, then there exists an ethical duty to warn.
This means that products and vendor solutions must apply some consideration
of consumer expectations and perform appropriate risk tests. Since the manufacturer
is the expert on the product, failing to warn of vulnerability by an
employee is unethical behavior.
This section discusses two different scenarios of duty to warn.The first one
advocates the more conservative approach recommending warning of product
weaknesses, and the second issue addresses a case when it may not be appropriate
to warn the public of system weaknesses.