From Heartbleed to Shellshock and Poodle to Backoff, this has been a banner year for software vulnerabilities. Despite their appearance on myriad devices across a host of industries and operating systems, these threats share a common thread: They’ve all been disclosed to the public. The ensuing security fallout has some experts wondering whether a responsible disclosure policy is really a safeguard or just another siren song for cybercriminals.

Define ‘Responsible’

So what exactly is a responsible disclosure policy? Simply put, it is the release of details surrounding IT security vulnerabilities after a certain amount of time has passed. How much time depends on who has the information and how serious the potential threat is.

For example, the Community Emergency Response Team (CERT) Division of the Software Engineering Institute’s policy is to disclose any vulnerability data it receives 45 days after the initial report has been filed, but it will make allowances for “threats of an especially serious nature.” CERT argues that while 45 days puts pressure on organizations to fix identified vulnerabilities, this is not an impossible timeline.

What’s more, there are cases where the specter of eventual disclosure can motivate companies to patch exploits or design better code. Other agencies offer a 90-day window, while others offer no window at all, preferring “open disclosures” where any bug or vulnerability is released to the public immediately.

The bottom line? There is a lot of room to move on the issue of what is “responsible” and no general agreement on the ideal release schedule.

The Security Problem

Which is the better course, releasing details immediately, or holding data long enough for companies to close up security holes? A responsible disclosure policy tends to take the ethical high ground. It is often seen as a way to keep amateur bug hunters from blackmailing large companies into paying for silence and to keep high-profile bugs behind doors until fixes can be found.

For example, Heartbleed was discovered around March 21, according to The Age, but it was released to the public on April 7, prompting a firestorm of criticism about how the threat was handled, even though a patch had been developed. There have also been rumors that software companies unhappy with early disclosures have sought out IT professionals and had them fired or otherwise inconvenienced for damaging the brand’s good name. Ideally, responsible disclosures balance the need for freedom and privacy by providing enough time to correct issues while still keeping the public informed.

Unlocked Doors?

As noted by Wired, however, there is another argument against this kind of disclosure. Telling malicious actors which pieces of code are vulnerable is like giving robbers keys to the bank vault. The twist? These robbers never needed keys in the first place. Any cybercriminal determined to punch through network defenses has already learned about potential vulnerabilities and won’t be surprised by anything a disclosure report has to say. Keeping this information quiet only serves to spur on criminal acts, since very few IT security professionals even know what’s happening, let alone how to correct the problem.

Taking the argument further, Wired references an Alfred Charles Hobbs book, “The Construction of Locks,” published in 1853. In it, Hobbs argues that discussing the insecurity of locks does nothing to encourage crime by “rogues” since they “are very keen in their profession and know already much more than we can teach them respecting their several kinds of roguery.” Replace “roguery” with “hacking” and locks with software, and the book is spot-on. Malicious actors aren’t waiting with bated breath for the next security disclosure — they’re already two steps ahead.

Collaborative Effort

The real sticking point for IT security is collaboration. A responsible disclosure gives companies time to fix software problems, but many don’t reach out to other agencies for help, preferring to keep code in-house and solve problems in isolation. In a world where large-scale cyberthreats and zero-day vulnerabilities are happening month after month to network after network, however, this kind of head-in-the-sand thinking simply no longer works. Scheduled disclosures provide a reasonable, ethical framework for tackling vulnerabilities, and working together shortens the time required.

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today