Security exploits: Who's to blame?

• Tags:
• Hackers,
• Researchers,
• Lack Thereof,
• Security

Joris Evers and Marguerite Reardon CNET News

Published: 06 Sep 2005 16:40 BST

• 
• 
• 
• 
• 

...security researchers who threaten vendors with disclosure of bugs as a problem, she wrote in a recent perspective piece on ZDNet UK sister site CNET News.com. "The reality is that most vendors are trying to do better in vulnerability handling. Most don't need threats to do so," Davidson said.

Alexander Kornbrust specializes in security of Oracle products. He went public with details on six security vulnerabilities in Oracle software in July, about two years after he reported the bugs to the software maker and fixes still had not been provided.

Oracle chided Kornbrust as irresponsible for disclosing the data.

Although not entirely happy about his dealings with Oracle, Kornbrust said it is not an adversarial relationship. "Hostile is not the right expression. I did get feedback from Oracle," Kornbrust said, but that was only immediately after he reported the bugs. Oracle did not give Kornbrust updates on how it was addressing the problems afterwards.

"Oracle supports guidelines for responsible disclosure. One of those guidelines is that the company should send out updates to the researcher. They don't," said Kornbrust, who runs Germany's Red Database Security.

In the past, many hackers and security researchers outed glitches without giving much thought to the impact the disclosures would have on Internet users. Software makers have been working to provide a channel for disclosure. Several have also established patching schedules. Microsoft releases patches every second Tuesday of the month, and Oracle has a quarterly schedule.

Still, the debate on responsible disclosure rages. Recently FrSIRT was the subject of discussion on a popular security mailing list. FrSIRT, formerly known as K-Otic, releases details on vulnerabilities and also publishes exploit code that could help attackers. Sometimes the holes aren't yet patched. Other than FrSIRT selling its service critics are unsure what the purpouse of such a service is.

"With our dependency on IT systems, responsible disclosure is of paramount importance," said Howard Schmidt, an independent security consultant who has served as cybersecurity adviser to the White House and security executive at Microsoft and eBay.

Technology companies that are not responsive to security researchers do pose a problem, Schmidt said. He suggests that the government, specifically the US Computer Emergency Readiness Team [the Department of Homeland Security's Internet security agency], could act as an intermediary. "And then perhaps the government could put some pressure on [technology companies]," he said.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed