Writers Exposing System Weaknesses –
Should You Disclose All Information?
You are writing a white paper for a new operating system. It is common to mention
strengths and weaknesses in a white paper, but only to a certain degree.The
operating system you are writing about has a serious security weakness. Is it your
duty to insist on revealing this important information in the white paper or
through some other means of communication?
Conservative Overall system integrity is critical when selling a new
product, especially an operating system. Insist that some sort of warning go
into the white paper and corresponding system documentation.Without
this, the company will be putting themselves at risk for any system damages
incurred because of the operating system. Explain the importance of this to
senior management.They will appreciate that you brought this matter to
their attention.
First, similar to other forms of discloser mentioned, you should always
notify the vendor before any public disclosure is made. Do not expose the
information outside of the vendor. Conduct this contact in such a way as to
confirm that the vendor has received the notification. If you feel you cannot
communicate directly to the vendor about system vulnerabilities, use a
third-party coordinator who will assist in facilitating the communications
discoverer and the vendor.
Liberal It is certainly not your place as a writer to require inclusion of certain
system vulnerability information in the white paper you will receive payment
to produce.This is especially true if the information has the potential to
be detrimental to the sales of the product. Mind your own business and do
www.syngress.com
Vulnerability Disclosure • Chapter 3 89
the job they hired you to do. Leave the facts and the problems up to
management.
SUMMARY
Determining whether it is your duty as a writer to warn your readers of
system problems is a choice you must make. Are you ethically entitled to
the duty to warn? The benefit of warning your readers is they will know
you are thorough in your research and trustworthy, which in turn
improves your reputation as a writer. The down side of providing such
warnings is that some companies may not choose to hire you because
they simply want someone to write, not tell them what to do and force
them to reveal every down point of their product.
Instilling Public Fear with Full
Disclosures – Err on the Side of Caution?
You work for an air traffic control tower and you discover a system vulnerability
in one of the software tools you use to track planes.This is really big because it
potentially endangers many lives. Is it ethically acceptable to publicly disclose this
information on national television? You know this type of disclosure may instill
fear and panic in the public.
Conservative This particular type of disclosure is best handled in a more
private manner between the initial discoverer of the vulnerability and the
vendor. During the time after initial contact and until public disclosure, all
communication lines between the vendor, discoverer, and originator should
be kept open and confidential.Any miscommunication during the entire
disclosure process could lead to premature disclosure and potential public
panic. It is important that the vendor attempt to reproduce the vulnerability
in order to verify its existence.The originator should provide the vendor
and coordinator with all the necessary information and aid reproduction in
any way.This will determine if there is in fact an error. Disclosing air traffic
software vulnerability data without absolutely confirming the system weakness
is completely unethical.This type of vulnerability must be handled in
this manner without public disclosure.
www.syngress.com
90 Chapter 3 • Vulnerability Disclosure
Liberal The public has the right to know if the air traffic control system
for airplanes and an airport is inoperative or defective.This is a case where
public disclosure may save lives and the information must be published
immediately upon discovery.
SUMMARY
Publishing information immediately upon discovery is not always a good
idea. It is best to contact the vendor and perform the necessary tests to
validate that there is in fact a valid vulnerability. Once you discover there
is an accurate vulnerability it is your ethical choice to determine whether
you feel you have the ethical duty to warn the general public of the air
traffic control problem or handle the matter in a more confidential
manner.