Disclosure Policies
– Full disclosure is the practice of publishing analysis of software vulnerabilities early on, making the data accessible to everyone without restrictions.
– Coordinated disclosure is a policy where researchers report vulnerabilities to a coordinating authority, which then reports it to the vendor and coordinates the disclosure of information.
– Non-disclosure is the policy that vulnerability information should not be shared or should only be shared under non-disclosure agreements.
Coordinated Vulnerability Disclosure
– Coordinated vulnerability disclosure is a policy where researchers report vulnerabilities to a coordinating authority.
– The coordinating authority, often the vendor, tracks fixes and mitigations and coordinates the disclosure of information.
– Privileged access to nonpublic research is given to vendors under this policy.
– Coordinated vulnerability disclosure is also known as responsible disclosure.
– The risks of sharing research with malicious actors are considered too great for too little benefit under this policy.
Full Disclosure
– Full disclosure is the policy of publishing information on vulnerabilities without restriction as early as possible.
– Proponents of full disclosure believe that freely available vulnerability research outweighs the risks.
– Full disclosure allows users and administrators to understand and react to vulnerabilities in their systems.
– It puts pressure on vendors to fix vulnerabilities that they may otherwise not prioritize.
– Full disclosure resolves fundamental problems with coordinated disclosure.
Non-Disclosure
– Non-disclosure is the policy that vulnerability information should not be shared or should only be shared under non-disclosure agreements.
– Proponents of non-disclosure include commercial exploit vendors and researchers who intend to exploit the flaws they find.
– Non-disclosure is also favored by proponents of security through obscurity.
– Non-disclosure limits the distribution of vulnerability information.
– It prevents users from making informed decisions about the risks to their systems.
Debate and References
– The No More Free Bugs campaign in 2009 sparked a broader debate about the issue of disclosing vulnerabilities.
– Advocates of coordinated disclosure argue that users need guidance from vendors to make use of vulnerability information.
– They believe that limiting distribution of vulnerability information is in the best interest of the majority.
– Full disclosure advocates argue that users should not be underestimated and that the potential benefit outweighs the potential harm caused by malicious actors.
– Vulnerability discovery is not a mutually exclusive event, and multiple researchers can discover the same flaws independently.
– References include various publications, organizations, initiatives, policies, and recent developments related to vulnerability disclosure.Sources: https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)
