Employees have the freedom to select in which language they want to express themselves.
You can find more entries selecting Spanish language in the top left corner link.

Full-disclosure vs responsible disclosure. Following chapter

1 Malo2 Mejorable3 Normal4 Bueno5 Excelente (Votos: 1. Media: 5.00/5)
Loading ... Loading ...

Author: David Barroso

The eternal discussion between full-disclosure vs responsible-disclosure has a relatively brand-new area: the critical infrastructure protection (CIP). It is quite common, that from time to time it is discussed the best way of reporting a  vulnerability to a manufacturer. A procedure that can satisfy both sides(the one who finds the vulnerability and the manufacturer) has not been institutionalized yet . There is all kind of choices; none of them is more successful though: acknowledging the researcher’s help (i.e. Microsoft), paying a certain amount of money (Google), or simply, using some company which works as a broker in order to pay the vulnerabilities (i.e. (iDefense VCP or Tippingpoint ZDI). But the truth is that these methods don’t work; the better example happened last year when vulnerability was discovered by Tavis Ormandy in Windows. This case proves the needs of having some type of procedure which pleases all sides.

Unfortunately, nowadays some manufacturers don’t think security is essential  to avoid risk to their users ( ZDI’s list about unpatched vulnerabilities is quite illustrative). On the other hand, some researchers also think that manufacturers have to fulfill their requirements immediately, even involving extortions to manufacturers. Although there have always been some attempts of proceduralising the vulnerability’s reporting (from the well-known RFPs procedure),ranging from an IETF’S attempt , Responsible Vulnerability Disclosure Process which ended up becoming the  Organization for Internet Safety procedure base, to No More Free Bugs initiative promoted by several researchers. If we deal with critical infrastructure protection, recently we witness what happened some years ago, after trying to do things right, realizing that it doesn’t work often, we come across different positions like  Digital Bond’s, whose vulnerability reporting policy is as simple as: we’ll do what we like; because they have had enough seeing how manufacturers , after incidents such as Stuxnet  or the vulnerabilities found by Dillon Beresford, don’t seem to react , not even when ICS-CERT is involved ( the manufacturer can even report you).

By the end of the day what really matters is how each manufacturer is concerned about handling and coordinating these incidents (communication with researchers and companies), because, if we’ve finally realized that none of the global vulnerability reporting policies works, it is the manufacturer’s task to fix its own policy ,what’s more pleasing both sides. For instance, MozillaBarracudaGoogleFaceBook or Twitter have already done it. And not all of them pay for vulnerability found, but some of them simply acknowledge the help of it.

In short, prevention is better than cure, and all large firms must be running a clear and published policy about the vulnerabilities that third parties find over their products, services or simply, over their webs, and they must recognize as well the work of people that collaborate positively  in enhancing the network security.