Home > All, Security Issues > Phoenix-like, Full Disclosure returns

Phoenix-like, Full Disclosure returns

When the Full Disclosure mailing list suddenly closed down just over a week ago it took most people by surprise. The precise cause — although undoubtedly known to some — remains a mystery. It appears to have been just one problem too many for list moderator John Cartwright; made all the more unbearable because it came from within the research fraternity rather than from vendors.

Be that as it may, full disclosure has been and remains one of the longest-running contentious issues in security. If you discover a vulnerability, do you tell everyone (full disclosure); tell no-one (non-disclosure); or just tell the vendor (so-called ‘responsible’ disclosure).

There are strong and strongly-held arguments for all options. Graham Cluley and I differ, for example; although perhaps more in degree than absolutes. “For my money, it’s always been more responsible to inform the vendor concerned that there is a security weakness in their product, and work with them to get it fixed rather than get the glory of an early public disclosure that could endanger internet users,” he told me when the mailing list shut down.

Graham’s view is that we should do nothing that might help criminals break into innocent users’ computers. So far we agree: always tell the vendors first, so that they can fix flaws before they become widely known. But what next? What if the vendor does nothing or takes a ridiculously long time to fix it?

Graham sticks to his basic principle. You still don’t go public. Instead, you could, for example, go to the press “and demonstrate the flaw to them (to apply pressure to the vendor) rather than make the intimate details of how to exploit a weakness public.”

There are ample examples to prove his point. When you combine full disclosure with the ‘full exploitation’ of Metasploit, all done before the vendor can fix it, then the bad guys have a ready-made crime-kit — and the general public has no defence.

The basic principle behind responsible disclosure is that if you don’t go public, the vulnerability is less likely to be exploited. But that’s my problem: ‘less likely’ is no defence. If the researcher has discovered the vulnerability, how many criminals have also already discovered the same vulnerability — and are already using it, or are ready to use it in earnest? To know about a vulnerability and not do everything possible to force the vendor to fix it is, in my opinion, irresponsible rather than responsible behaviour.

But, as Graham added, “it’s a religious debate, frankly, with strongly held opinions on both sides.”

So it will be with a mixed reception that we now learn that like the Phoenix, the Full Disclosure mailing list is reborn, courtesy of Seclists‘ Fyodor.

Upon hearing the bad news, I immediately wrote to John offering help. He said he was through with the list, but suggested: “you don’t need me. If you want to start a replacement, go for it.” After some soul searching about how much I personally miss the list (despite all its flaws), I’ve decided to do so! I’m already quite familiar with handling legal threats and removal demands (usually by ignoring them) since I run Seclists.org, which has long been the most popular archive for Full Disclosure and many other great security lists. I already maintain mail servers and Mailman software because I run various other large lists including Nmap Dev and Nmap Announce.
Full Disclosure Mailing List: A Fresh Start

I for one welcome its return. Full Disclosure is, to my mind, an essential part of the security landscape. You can sign up here.

Categories: All, Security Issues
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s