> That's not the question. Is it to his advantage for the discussion > to be private, between the reporter and the developer? The only > situations in which I would go public with a security hole are when > it is a generic problem affected a whole community of developers or > when the developers refuse to fix it.
I agree that the discussion between the reporter and developer should be secret, at least until the developer provides a solution or refuses. But that's not the question I was trying to comment on. I was more interested in the disclosure that IBM (or software vendor) has with their customers. How do they convince their customers to apply the fix, upgrade their software, etc. I used to believe that non-disclosure was a good strategy and customers would blindly apply all integrity APARs. Here are just a few points to consider. 1. Some sites may believe that obscurity of flaws is sufficient protection. That plan works most of time; or rather until a clever attacker comes along. So as long as the flaw seems obscure, they feel safe. However, what seems obscure to one person, may be obvious to another. 2. Some sites don't fix things, if they aren't broke. Applying fixes takes time and effort and frequently introduces other problems. They want to avoid unnecessary effort. So they'll wait to fix the problem when it occurs in their environment. Or someone shows strong evidence that it is likely to. In other words, just saying that it is a security issue is not enough to convince them. 3. Some sites ignore security because it costs too much or is too hard to maintain, esp. when they have little at stake. For example, a service provider may have an exclusion or waiver of liability in the "fine print" of their contracts. Their customers may have concerns, but they agree to the risks when they sign the contract. 4. No one has a fool-proof method to separate the "good" guys from "bad" guys. Or in other words, IBM cannot discuss security issues with only the "good" guys, because they can't be sure whether they are talking to the good, the bad, or just the ugly. Open discussion reduces the effectiveness of security by obscurity. Open discussion may provide the strong evidence needed to show that security is broken. Open discussion may force security issues to be heeded, even when they have little at stake. Open discussion does not care whether or not the parties involved are "good" guys or "bad" guys. Of course, these points have faults, too; but so far, I'm leaning toward them anyway. Don Williams ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
