Full-Disclosure Wins Again

twistedmoney99 writes "The full-disclosure debate is a polarizing one. However, no one can argue that disclosing a vulnerability publicly often results in a patch — and InformIT just proved it again. In March, Seth Fogie found numerous bugs in EZPhotoSales and reported it to the vendor, but nothing was done. In August the problem was posted to Bugtraq, which pointed to a descriptive article outlining numerous bugs in the software — and guess what happens? Several days later a patch appears. Coincidence? Probably not considering the vendor stated "..I'm not sure we could fix it all anyway without a rewrite." Looks like they could fix it, but just needed a little full-disclosure motivation."

Re:I agree with you for the most part, but...

[Lord Ender]

To me, "responsible disclosure" implies that a patch is made available BEFORE the detailed disclosure of the vulnerability happens

No. Wrong. It's not a matter of opinion. With responsible disclosure, a security researcher notifies a vendor before publishing his research. It absolutely DOES NOT imply that a patch is made available before the researcher publishes his findings. A vendor is still free to shoot itself in the foot under responsible disclosure.

The only gray area is determining just how much time is reasonable to release a patch. The standard accepted period these days seems to be between two weeks and two months. Mozilla's CEO would say "ten fucking days." Escaping part of an SQL string or recompiling code with a buffer overflow check doesn't take all that long to do.

If a vendor chooses to ignore a researcher, it does not change that fact that the researcher acted responsibly by providing the vendor with the courtesy of a "heads up" warning.

Re:Require login, forbid any subdirectory access.

[Rich0]

If you store your session IDs in a central database you'd be covered. Maybe under extremely high load this might be an issue, but often these bugs crop up in software that doesn't face these sorts of high-demand applications.