Full disclosure
Encyclopedia
In computer security
, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity
. The concept of full disclosure is controversial, but not new; it has been an issue for locksmiths
since the 19th century.
In the realm of computer vulnerabilities, disclosure is often achieved via mailing lists such as a Full-Disclosure mailing list and by other means.
Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. This philosophy is sometimes called responsible disclosure
.
In the case that a vendor is notified and a fix is not produced within a reasonable time, disclosure is generally made to the public. Opinions differ on what constitutes a reasonable time . Five to thirty days is typical, although the period could be a matter of hours. Internet Security Systems
was widely criticized for allowing less than eight hours before disclosing details of a vulnerability in the Apache HTTP Server
.
Limited disclosure, is an alternative approach where full details of the vulnerability are provided to a restricted community of developers and vendors while the public is only informed of a potential security issue. Advocates of this approach also claim the term "responsible disclosure".
To address the controversy of disclosing harmful information to the general Internet community, including blackhats, in 2000, Rain Forest Puppy developed the RFPolicy
, which is an attempt to formalize the process of alerting vendors to security problems in their products, and establish guidelines on what to do if the vendor fails to respond.
One challenge with "responsible disclosure" is that some vendors do not respond, or inordinately delay their response, to vulnerability reports that are not public. As long as a vulnerability is not widely known to the public (with enough detail to reproduce the attack), vendors may refuse to fix the vulnerability or refuse to give it enough priority to actually repair it. Unfortunately, vulnerabilities reported to a vendor may already be exploited, or may soon be detected by someone with intent to exploit them. Thus, most security researchers set maximum times (such as 14 days or 30 days) before fully revealing a vulnerability to the public, since otherwise many vendors would never fix even critical vulnerabilities in their products. Many security researchers cite vendors' past failure to respond to vulnerability reports as the reason that they fully disclose vulnerabilities.
, in a 19th century controversy regarding whether weaknesses in lock systems should be kept secret in the locksmithing community, or revealed to the public.
According to A. C. Hobbs
:
The full disclosure debate came back to life through dissatisfaction at the methods employed by the Internet security infrastructure in the early 1990s. Software security vulnerabilities were reported to CERT
, which would then inform the vendor of that software. Public disclosure of the hole would not take place until the vendor had readied a patch to fix it.
However, since the disclosures were private, some vendors took years to produce a fix, or never produced a fix at all. In the meantime, the vulnerabilities were actively exploited by cracker
s. Vendors ignoring warnings and relying on the ignorance of attackers appeal to security through obscurity
- however there is a well-established principle that obscurity should never be used as a primary security measure, and at some point vendor reliance on obscurity becomes a fraud
ulent misrepresentation of the security of their products.
Since CERT
and the vendors were aware of the holes, but attempted to keep them secret even to the administrators of machines being cracked in the field, it was felt that CERT's policies were a manifestation of an impractical, "ivory tower"
attitude.
In response to this, mailing lists and other avenues for full disclosure were established, notably the Full-Disclosure mailing list.
s and script kiddie
s, allows them to take advantage of vulnerabilities more quickly and makes attacks more widespread. However, this argument assumes that without disclosure such tools and attacks would not have occurred. The advantage of disclosure is that white hats will obtain the information, and that the vulnerability will be detected and patched more quickly.
n3td3v was banned from the Full-Disclosure mailing list on January 21 2009. n3td3v is thought to be banned in response to his widespread criticism of what he saw as irresponsible disclosure practices carried out by some security researchers, such as HD Moore
. Some saw the banning of n3td3v as an attack on freedom of speech
in an email post to the list August 31 2009, while others accuse him of being an internet troll.
In August 2010, HD Moore
found about 40 vulnerabilities related to DLL load hijacking in Windows applications that Rapid7
was going to publish under its vulnerability disclosure policy. Arcos, a Slovenian security firm, found one related vulnerability for iTunes and decided to publish without alerting the vendor, saying "it hasn’t paid out well" in the past and "we’ve found better markets for this kind of information".
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity
Security through obscurity
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
. The concept of full disclosure is controversial, but not new; it has been an issue for locksmiths
Locksmithing
Locksmithing began as the science and art of making and defeating locks. A lock is a mechanism that secures buildings, rooms, cabinets, objects, or other storage facilities. A key is often used to open a lock...
since the 19th century.
Definition
Full disclosure requires that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it. The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. Fixes are produced faster because vendors and authors are forced to respond in order to protect their system from potential attacks as well as to protect their own image. Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced.In the realm of computer vulnerabilities, disclosure is often achieved via mailing lists such as a Full-Disclosure mailing list and by other means.
Various interpretations
Even among those who believe in disclosure there are differing policies about when, to whom, and how much to disclose.Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. This philosophy is sometimes called responsible disclosure
Responsible disclosure
Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software...
.
In the case that a vendor is notified and a fix is not produced within a reasonable time, disclosure is generally made to the public. Opinions differ on what constitutes a reasonable time . Five to thirty days is typical, although the period could be a matter of hours. Internet Security Systems
Internet Security Systems
IBM Internet Security Systems is a security software provider which was founded in 1994 as Internet Security Systems, and is often known simply as ISS or ISSX...
was widely criticized for allowing less than eight hours before disclosing details of a vulnerability in the Apache HTTP Server
Apache HTTP Server
The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
.
Limited disclosure, is an alternative approach where full details of the vulnerability are provided to a restricted community of developers and vendors while the public is only informed of a potential security issue. Advocates of this approach also claim the term "responsible disclosure".
To address the controversy of disclosing harmful information to the general Internet community, including blackhats, in 2000, Rain Forest Puppy developed the RFPolicy
RFPolicy
The RFPolicy states a method of contacting vendors about security vulnerabilities found in their products. It was originally written by hacker and security consultant Rain Forest Puppy....
, which is an attempt to formalize the process of alerting vendors to security problems in their products, and establish guidelines on what to do if the vendor fails to respond.
One challenge with "responsible disclosure" is that some vendors do not respond, or inordinately delay their response, to vulnerability reports that are not public. As long as a vulnerability is not widely known to the public (with enough detail to reproduce the attack), vendors may refuse to fix the vulnerability or refuse to give it enough priority to actually repair it. Unfortunately, vulnerabilities reported to a vendor may already be exploited, or may soon be detected by someone with intent to exploit them. Thus, most security researchers set maximum times (such as 14 days or 30 days) before fully revealing a vulnerability to the public, since otherwise many vendors would never fix even critical vulnerabilities in their products. Many security researchers cite vendors' past failure to respond to vulnerability reports as the reason that they fully disclose vulnerabilities.
History
The issue of full disclosure was first raised in the context of locksmithingLocksmithing
Locksmithing began as the science and art of making and defeating locks. A lock is a mechanism that secures buildings, rooms, cabinets, objects, or other storage facilities. A key is often used to open a lock...
, in a 19th century controversy regarding whether weaknesses in lock systems should be kept secret in the locksmithing community, or revealed to the public.
According to A. C. Hobbs
Alfred Charles Hobbs
Alfred Charles Hobbs was an American locksmith.He was born in Boston, Massachusetts in 1812 and married Charlotte F. and had a child: Alfred J. Hobbs...
:
A commercial, and in some respects a social doubt has been started within the last year or two, whether it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.
Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.
It cannot be too earnestly urged that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear, milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased.
— A. C. Hobbs (Charles Tomlinson, ed.), Locks and Safes: The Construction of Locks. Published by Virtue & Co., London, 1853 (revised 1868).
The full disclosure debate came back to life through dissatisfaction at the methods employed by the Internet security infrastructure in the early 1990s. Software security vulnerabilities were reported to CERT
CERT Coordination Center
The CERT Coordination Center was created by DARPA in November 1988 after the Morris worm struck. It is a major coordination center in dealing with Internet security problems....
, which would then inform the vendor of that software. Public disclosure of the hole would not take place until the vendor had readied a patch to fix it.
However, since the disclosures were private, some vendors took years to produce a fix, or never produced a fix at all. In the meantime, the vulnerabilities were actively exploited by cracker
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
s. Vendors ignoring warnings and relying on the ignorance of attackers appeal to security through obscurity
Security through obscurity
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
- however there is a well-established principle that obscurity should never be used as a primary security measure, and at some point vendor reliance on obscurity becomes a fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
ulent misrepresentation of the security of their products.
Since CERT
CERT Coordination Center
The CERT Coordination Center was created by DARPA in November 1988 after the Morris worm struck. It is a major coordination center in dealing with Internet security problems....
and the vendors were aware of the holes, but attempted to keep them secret even to the administrators of machines being cracked in the field, it was felt that CERT's policies were a manifestation of an impractical, "ivory tower"
Ivory Tower
The term Ivory Tower originates in the Biblical Song of Solomon , and was later used as an epithet for Mary.From the 19th century it has been used to designate a world or atmosphere where intellectuals engage in pursuits that are disconnected from the practical concerns of everyday life...
attitude.
In response to this, mailing lists and other avenues for full disclosure were established, notably the Full-Disclosure mailing list.
Controversy
Full disclosure can be controversial, as often these disclosures include code or executable tools to exploit the vulnerability. The argument against disclosure is that providing complete details or tools to malicious attackers, such as black hatBlack hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
s and script kiddie
Script kiddie
A script kiddie or skiddie, occasionally skid, script bunny, script kitty, script-running juvenile or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks and deface websites.-Characteristics:In a Carnegie...
s, allows them to take advantage of vulnerabilities more quickly and makes attacks more widespread. However, this argument assumes that without disclosure such tools and attacks would not have occurred. The advantage of disclosure is that white hats will obtain the information, and that the vulnerability will be detected and patched more quickly.
n3td3v was banned from the Full-Disclosure mailing list on January 21 2009. n3td3v is thought to be banned in response to his widespread criticism of what he saw as irresponsible disclosure practices carried out by some security researchers, such as HD Moore
HD Moore
HD Moore is the creator of Metasploit, a popular penetration testing software. HD founded the Metasploit Project in the summer of 2003 with the goal of becoming a public resource for exploit code research and development...
. Some saw the banning of n3td3v as an attack on freedom of speech
Freedom of speech
Freedom of speech is the freedom to speak freely without censorship. The term freedom of expression is sometimes used synonymously, but includes any act of seeking, receiving and imparting information or ideas, regardless of the medium used...
in an email post to the list August 31 2009, while others accuse him of being an internet troll.
In August 2010, HD Moore
HD Moore
HD Moore is the creator of Metasploit, a popular penetration testing software. HD founded the Metasploit Project in the summer of 2003 with the goal of becoming a public resource for exploit code research and development...
found about 40 vulnerabilities related to DLL load hijacking in Windows applications that Rapid7
Rapid7
Rapid7 is a vulnerability management and penetration testing company headquartered in Boston, Massachusetts. Its primary products are Nexpose and Metasploit...
was going to publish under its vulnerability disclosure policy. Arcos, a Slovenian security firm, found one related vulnerability for iTunes and decided to publish without alerting the vendor, saying "it hasn’t paid out well" in the past and "we’ve found better markets for this kind of information".
See also
- MBTA vs. Anderson
- Security engineeringSecurity engineeringSecurity engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
- Kerckhoffs' principleKerckhoffs' principleIn cryptography, Kerckhoffs's principle was stated by Auguste Kerckhoffs in the 19th century: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.Kerckhoffs's principle was reformulated by Claude Shannon as...
- Defensive programmingDefensive programmingDefensive programming is a form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software. The idea can be viewed as reducing or eliminating the prospect of Murphy's Law having effect...
- CrackingCrackingCracking may refer to:* Cracking, the formation of a fracture or partial fracture in a solid material* Fluid catalytic cracking, a catalytic process widely used in oil refineries for cracking large hydrocarbon molecules into smaller molecules...
- Hacking
External links
- Full Disclosure Debate Bibliography, by date
- Why publishing exploit code is *generally* a bad idea if you're paid to protect
- Full Disclosure and the Window of Exposure from Bruce SchneierBruce SchneierBruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
's Crypto-GramCryptogramA cryptogram is a type of puzzle which consists of a short piece of encrypted text. Generally the cipher used to encrypt the text is simple enough that cryptogram can be solved by hand. Frequently used are substitution ciphers where each letter is replaced by a different letter or number. To solve...
, September 2000 - Full Disclosure from Bruce Schneier's Crypto-Gram, November 2001
- Publicizing Vulnerabilities, from Bruce Schneier's Crypto-Gram, February 15, 2000
- Full-Disclosure mailing list
- Matt Blaze, Is it harmful to discuss security vulnerabilities?, downloaded October 2005.
- Matt Mecham: Why full disclosure is bad