Thursday, September 08, 2011

Finally, a Responsible Disclosure policy

Digital Bond, who researches SCADA/ICS vulns, has published one of the most responsible vulnerability policies: http://www.digitalbond.com/about-us/vulnerability-disclosure-policy/. To summarize, it says:
  • We honor client commitments.
  • Otherwise, we do the heck what we want with discovered vulns

Over the years, vulnerability researchers (or non-researchers who want researchers to listen to them) have tried to come up with ways to lessen the harm of vuln research while maximizing the good. They've failed. Instead, they've come up with rules that only serve the vendors of vulnerable products, who exploit "responsible disclosure" to spin, cover-up, or delay vuln disclosure. After having the FBI show up at our door threatening us in an attempt to prevent vuln disclosure, we've stopped being nice with vendors.

No comments: