Is responsible disclosure dead?
Jeremiah Grossman has an article in SC Magazine, “Businesses must realize that full disclosure is dead.” On Twitter, I asked for evidence, and Jerimiah responded “Evidence of what exactly?”
I think the key assertion that I take issue with is bolded in the context below:
Unquestionably, zero-day vulnerabilities have an increasing real-world value to many different parties. We should expect more and more researchers to demand and receive payment from governments, software vendors, security vendors, enterprises or someone on the black market. It has already happened and will continue. The evolution is underway and it will become more prevalent in the next few years as it becomes routine for our systems to be compromised using unknown vulnerabilities. This environment will force us to evolve our thinking and mature our offensive and defensive security strategies – fueling the need for third-party patches, subscriptions to unreleased vulnerability information, and general underground industry intelligence. We’re already seeing these services being offered on the fringe (legally and illegally) and slowly moving towards mainstream acceptance as the business models are better understood. So it’s not a matter of if, but when.
We will need to evolve, yes, but I don’t see that the direction suggested is the one we’ll need to take. In particular, operationally using 0day is a tricky business. You risk discovery and losing a valuable asset by exposing it to a target. So maybe you use something a bit more commonplace. As I recall the Verizon Breach Report, they say that roughly 75% of vulns exploited have been public for a year or more. Yes, there’s a rapidly growing volume of underground stuff, but that’s easy when such things are a tiny fraction of attacks, vulnerabilities, or root causes of bad outcomes.
So I’m curious where is the evidence that undisclosed vulns will come to dominate? Oh, and a second question. Jerimiah, your title seems to imply that this is the most important thing for businesses to realize. Is that really what you meant?
My employer spends a lot of energy on building things to make exploiting unknown vulns harder, but if I wanted to speak for them, I’d do so on my work blog.
[Ooops! Mis-spelt Jeremiah’s name. Sorry!]