Industry still split on vulnerability disclosure

We've seen increasing moves by the software industry over the past few weeks to solve one of its oldest dilemmas: vulnerability disclosure.

Microsoft changed its policy on disclosure last month, and research firm TippingPoint told manufacturers recently that it is setting a six-month time limit between alerting them to a flaw and disclosing the information to its customers.

There are growing signs that the industry is getting serious about sorting out its patching protocols.

"It amazes me that a dozen years down the line we're still talking about this," Dan Holden, director of security research at TippingPoint, told V3.co.uk.

"Some of the arguments are pure semantics. We need to be mature about our responsibilities. The threat landscape has changed dramatically, and we're up against a much larger beast."

Holden explained that the tension between researchers and software manufacturers is largely economic. Vendors are not keen to have their problems exposed, but research firms have clients to protect and need to keep them informed.

Part of the problem is that in the past some of the biggest vendors took years to sort out problems, rather than the months that could reasonably be expected, and in some cases weren't even bothering to patch at all until the next major system upgrade.

"A kernel level one vulnerability takes a lot of time to sort out," Holden said. "But from a researcher's standpoint, everyone wants a patch as soon as possible."

The issue is increasingly being raised because of the larger pool of research firms. Many in the old-school hacking community, such as Dan Kaminsky and Moxie Marlinspike, have now set themselves up as security researchers in a sign that the industry is maturing.

"You need the research and the breaking, but it can't stop there," said Kaminsky at the launch of DNSSec during last month's Black Hat conference. "You have to work on a fix, get it out there, and then occasionally put on a suit."

Holden said that it is encouraging to see moves in this direction, and he's not alone. Rick Moy, president of NSS Labs, told V3.co.uk that the hacking community and vendors must get together and sort out a proper framework for disclosure.

"We need to embrace the hackers, and I mean that term in the best way. Hackers break into their own systems, while criminal crackers do it on yours," he said.

Part of the problem is that software licensing gives the industry an unusually wide remit to fix faulty products when it sees fit, unlike the rules for manufacturers of cars or food, for example.

The increasing number of researchers is adding pressure for patching by identifying flaws faster, and the industry cannot afford to keep its head in the sand.

"Everything has bugs and, if you have to acknowledge that you need to fix them, even though it costs time and money, quite frankly there's no other way," Moy concluded.

Microsoft is hoping that its controlled vulnerability disclosure system will ease the situation by allowing limited disclosure before a patch is ready, and working on temporary fixes where possible.

The firm has also released free tools for the security community and is actively sharing information with other vendors.

"When we started introducing security tools to the community two years ago, low and behold we got applause," Dave Forstrom, director of Microsoft Trustworthy Computing, told V3.co.uk. "We need to get out of the mindset that we can do it alone."

Ultimately, the standoff between researchers and software vendors will continue until a standardised framework for disclosure can be worked out.

In the meantime, IT administrators are seeing better support, but a much more complex and dangerous threat landscape has emerged which is unlikely to improve in the short term.