Responsible Disclosure

2009-12-29T23:56:45Z

203.7.155.64: you don't wait to patch, that's what the time window is for...

'''Responsible disclosure''' is a [[computer security]] term. It is like [[full disclosure]], with the addition that all stakeholders agree to allow a period of time for the [[Vulnerability (computing)|vulnerability]] to be [[Patch (computing)|patched]] before publishing the details. Developers of [[hardware]] and [[software]] often require time and resources to repair their mistakes. [[Hackers]] and computer security scientists have the opinion that it is their [[social responsibility]] to make the public aware of vulnerabilities with a high impact. Hiding those fact could suggest a feeling of [[security theater|false security]]. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and prevent any future damage. Corresponding to the impact of the vulnerability it may require a period between a few weeks and several months. It is easier to [[Patch (computing)|patch]] software by using the [[internet]] as distribution channel.
Responsible disclosure fails to satisfy security researchers who expect to be financially compensated, while reporting vulnerabilities to the vendor with the expectation of compensation might be viewed as extortion.
While a market for vulnerabilities has developed, vulnerability commercialization remains a hotly-debated topic tied to the concept of vulnerability disclosure. Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and TippingPoint, with their zero-day initiative (ZDI) started in 2005. These organisations follow the responsible disclosure process with the material bought. Between March 2003 and December 2007 in average 7.5% of the vulnerabilities affecting Microsoft and Apple were processed by either VCD or ZDI
<ref>
{{
cite web
|url = http://www.techzoom.net/papers/weis_security_ecosystem_2009.pdf
|title = Paper measuring the prevalence of responsible disclosure and model of the processes of the security ecosystem
}}
</ref>.

[[Vendor-sec]] is a responsible disclosure mailing list. Many, if not all, of the [[CERT_Coordination_Center|CERT]] groups coordinate responsible disclosures.

[[Security vulnerability]] resolved by applying responsible disclosure:
* [[Dan Kaminsky]] discovery of [[DNS cache poisoning]], 5 months<ref>{{cite web
|url = http://www.cert.org/netsa/publications/faber-OARC2008.pdf
|title = Dan Kaminsky discovery of DNS cache poisoning
}}</ref>
* [[Radboud University Nijmegen]] breaks the security of the [[MIFARE]] Classic cards, 6 months<ref>{{cite web
|url = http://www2.ru.nl/media/pressrelease.pdf
|title = Researchers break the security of the MIFARE Classic cards
}}</ref>
* [[MBTA vs. Anderson]], MIT students find vulnerability in the Massachusetts subway security, 5 months<ref>{{cite web
|url = http://tech.mit.edu/V128/N30/subway.html
|title = MIT students find vulnerability in the Massachusetts subway security
}}</ref>
* [[MD5]] collision attack that shows how to create false CA certificates, 1 week<ref>{{cite web
|url = http://www.phreedom.org/blog/2009/verisign-and-responsible-disclosure/
|title = MD5 collision attack that shows how to create false CA certificates
}}</ref>

==References==
{{reflist}}

{{comp-sci-stub}}
[[Category:Computer security procedures]]

Wikipedia - Benutzerbeiträge [de]

Responsible Disclosure