Pages

Responsible Disclosure

Update 6/15/2010: The security vulnerability in Windows reference in this article is now being actively exploited.  In this case, full disclosure is without a doubt leaving putting Windows users at risk.

Today, Microsoft confirmed that there is an unpatched remote execution exploit in Windows XP and Server 2003.  This vulnerability was first reported to Microsoft on June 5th by discoverer and Google employee Tavis Ormandy.  Microsoft had to confirm this unpatched vulnerability today because Ormandy decided to release the details of the exploit under the guise of Full Disclosure yesterday, five days after reporting his finding to Microsoft.

Now, I certainly do not consider myself to be an expert in the security field, but I am someone who is responsible for deploying vendor patches and monitoring the security of our systems.  I personally find Ormandy's actions in disclosing the details of this exploit before Microsoft could patch the issue to be suspect.  Now we are left in a situation where exploit code has been released by a security researcher a month or more before the vendor can analyze the details, develop, test and release a patch.  How does this situation improve our overall security?