Security threats Toolkit

Do 'irresponsible' security researchers help or hinder?

Published: 26 Jan 2005 16:20 GMT

In the past, many hackers and security researchers outed glitches without much thought of the impact on Internet users. Microsoft, among others, changed this. As part of its 3-year-old "Trustworthy Computing" initiative to tame security problems in its software, the began an outreach program to support the work of the security community. At the same time, it started chastising those researchers who, it believed, released details of flaws too early.

The result is a tradeoff between security researchers and software businesses that is supposed to benefit product users.

Apple, for example, keeps the work of its security team wrapped in secrecy and issues patches approximately every month. Microsoft has moved to a strict second-Tuesday-of-each-month patch-release schedule, unless a flaw arises that poses a critical threat to customers' systems. Database maker Oracle has settled on a quarterly schedule.

"We think it is in the best interest of our customers," said Kevin Kean, director of Microsoft's security response centre. "A large portion of the research community agrees with us and works with us in a responsible way."

But some security researchers believe the tradeoff is benefiting companies too much, as it allows them to tweak their patching processes at their convenience, and without the need to introduce fixes disturbing the progress of software development. That adds up to a lax attitude to security, some experts believe.

eEye Digital Security abides by Microsoft's responsible disclosure guidelines, but posts the length of time since it reported a vulnerability to the software giant on a special page on its Web site. The top-rated flaw on the company's Web site was first reported to Microsoft almost six months ago, for example.

The detente also makes manufacturers look good in terms of the lag between the public warning of a flaw and the release of a patch. For example, a year-old study by Forrester Research gave Microsoft props for minimizing the window of vulnerability, compared with most Linux distributions. It's a direct side effect of the software giant's ability to convince security researchers to play ball, despite expectations.