Irresponsible Disclosure

There continues to be discussion in various forums regarding the merits and methods best used to share vulnerability information with the general population, the responsiblilty and expectations that researchers, vendors and the general public have around what gets released and when.

In the “Responsible Disclosure” model, researchers (the white hat ones at least) find a bug, pull its legs off to determine how and why it exists, advise the vendor, and then wait for a patch before going public with the details.  In a perfect world, the vendor acknowledges the bug report, credits or even pays the reporter, and produces a protective patch at the same time as, or before information starts to spread regarding how to exploit the vulnerability.  This keeps the risk of attack low while the patch is being applied. 

In reality, it produces frustrated researchers as vendors are slow to accept, acknowledge and develop fixes for vulnerabilities, ticked off vendors as the frustrated researchers release details to their colleagues, peers and the public after tiring of waiting for responses, and the “CowBoy Effect”, where researchers opt for IRRESPONSIBLE DISCLOSURE as a mechanism to spur the vendors forward or to generate fame and inflate their own egos.

Here is an example of a research vendor that in my opinion, has chosen to be totally irresponsible in their disclosure.  They are opting to wait for a security conference to release 13 zero-day vulnerabilities, implying that these are being exploited in the wild and that the vendor may not have been notified, so that they can maximize publicity.

Dear IT Security colleagues,

Mid-June 2010, TEHTRI-Security will be at SyScan Singapore for an outstanding conference. There, we will release more than 13 remote pre-auth zero-days against many different products (yes: 13 0days…).
We will also propose multiple generic technical solutions that might help white hats when they want to counter-strike most exploits packs systems and web attackers.  And before we conclude, we will also offer a complete web based botnet tracking and destruction from a real life example…

It’s time to get rid of those threats, and to show that there are other non-standard solutions when you are under attack. Stay tuned…

We would like to thank the big and small companies who trusted our services and who asked for assistance by also sharing some logs and some blackhat tools that they caught when they were under attack. If you have such web security issues, do not hesitate to contact us, so that we can help and assist you with our innovative technologies or our trainings.

Laurent OUDOT, Founder and CEO of TEHTRI-Security

Needless to say, I don’t support this vendor, do not appreciate their tactics, and definitely do not support their marketing model if they seek notoriety by increasing the risk to businesses worldwide for the sake of publicity.  Good luck to you mister Oudot.  May you continue to conduct business during interesting times.