No, I’m not calling all security researchers torturers. Before you flame me, read the post…

Not that I have any personal experience (beyond sitting through Black Dog the day my girlfriend dumped me), but torture is one of those things that rarely seems to give you the results you want, and even when it seems to work comes at an incredibly high cost

As I mentioned in the Three Dirty Secrets of Disclosure post, full disclosure, especially “no-knock” full disclosure (releasing everything before even reporting it to the vendor) helps the bad guys more than the good guys. End users don’t have the time or skill, in most cases, to protect themselves. They’re still beholden to their vendor to provide a solution, but now even the lesser-skilled bad guys have a new way to attack.

So how is full disclosure like torture?

It’s more valuable as a threat. Once used, you can’t take it back, it rarely gives you the results you want, and everyone involved is hurt. Actually, unlike torture full disclosure hurts any innocent bystanders in the process.

Some researchers think full disclosure forces vendors to respond and patch. Maybe; but in my experience vendors resist torture like James Bond and end up escaping and just getting really vengeful in the process.

I think we need full disclosure as a tool in our arsenal, and that most of the researchers dropping these vulnerabilities think they’re doing good, but full disclosure needs to be a last resort- not a first strike. It’s more powerful as an ever-present threat hanging over the heads of the most unresponsive of vendors. Dropping vulnerabilities and proof of concept code on a daily basis just hardens the vendors and lets them paint you as an out of control rogue.

You might think you’re saving the free world, but you’re no Jack Bauer.