Coalition condemns full disclosure

Microsoft and five big name security firms have put the boot into the full disclosure argument by announcing a coalition to limit the disclosure of vulnerability information.

At the Trusted Computing Forum held in California this week Microsoft, along with ISS, @stake, Bindview, Foundstone and Guardent, revealed a formal coalition to push for a standard policy of limiting public disclosure of security vulnerabilities.

The as yet unnamed organisation plans to draft a international standards proposal, submitted as a Request For Comments to the Internet Engineering Task Force (IETF).

The report will cover the entire bug reporting and vulnerability disclosure process, but is geared towards discouragement of full disclosure.

The IETF will hold the proposal open to public review and comment before considering it for adoption as an official standard.

However, experts opposing the idea have suggested that a standard could be used as a stick to beat other researchers into line.

The arguments for and against full disclosure have dragged on for years and caused many a schism in the security industry, as some experts claim that limited public information will let vendors take their eyes off the ball when it comes to releasing patches.

The other side of the coin is that limited disclosure disarms the script kiddies and cyber vandals somewhat, by not giving them an exploit on a plate.

This side of the argument was recently picked up by Scott Culp, manager of the Microsoft Security Response Centre, who released a comment piece slamming full disclosure. The controversial document sparked a mixture of support and outrage among experts resulting in security/hacker group NMRC issuing a call to arms to promote full disclosure.

This week's coalition announcement may well help to split the industry right down the middle on the issue.

The proposal outlines a 30-day grace period in which limited information about a vulnerability is made available. After 30 days and, presumably, the release of a patch, more detailed notices would be released.

A set of bylaws included in the proposal include an agreement to engineer any software released by the coalition in such a way that it cannot be used to break the law.