Threatpost has another good piece on exploit disclosure (I swear I still read other sites). This is the other side of vulnerability disclosure, where you need to decide on releasing exploit details based on factors such as detecting live exploits in the field.
A quote from a talk by Tom Cross from Lancope and Holly Stewart from Microsoft:
“If there’s nothing you can tell the users to do, there’s not a lot of point in disclosing the exploits,” he said. “It depends on the level of exploitation, the geographic distribution, is a patch available, when will it be if it’s not. If the answer is to tell people not to use a piece of software that’s necessary to do business, the reality is that’s not going to happen.”
It’s also true that the decision is not always solely in the hands of the vendor or even the researcher who discovered the vulnerability. In some cases, a third party security company may notice exploit attempts against a previously unknown vulnerability and take the step of notifying customers.
Vulnerability disclosure often seems more about philosophy and ego. Exploit disclosure is far more complex, with even farther-reaching implications. Exploit disclosure makes vulnerability disclosure look like a kid’s game.
Comments