rsnake had an interesting take on allowing hackers to “help” software companies find vulnerabilities last week.  Specifically he discussed how companies hide vulnerabilities:

In some cases, I have fully disclosed the issues I’ve found, and I have responsibly disclosed issues as well. In some cases, I have just kept quiet about what I know. All of these approaches to disclosure have their time and their place.

But things can go terribly wrong in the disclosure process. One great example is the recent thread on sla.ckers.org, where a researcher published a vulnerability in Yahoo! and had such a bad reaction that he went full disclosure. This is avoidable, folks!

Someone at Oracle once told me that his organization will not work with anyone who reports vulnerabilities publicly. I almost choked when I heard it. Are you kidding me? Why would you intentionally push someone away who is finding issues regularly in your product? If anything, you need to hire them or bring them closer. Find a way to recoup their expenses, donate hardware/software, give them work to do, ship them beta software. Anything to stay in their good graces!

Prior to becoming a security professional I was once an Oracle DBA, and even now, I have the misfortune to have to work with Oracle Corp. from time to time.  The above attitude does not surprise me, as I find Oracle to be one of the most arrogant, insular and not-living-in-the-real-world corporations I have ever seen or imagined.  Personally, I have discovered so many obvious bugs and security holes within Oracle software that I can understand why they wouldn’t want this information spread around, because it would reveal the true dysfunctional state of software development within the company. 

Personally, I’m on the fence as far as “outing” vulnerabilities.  Seems like if that’s the only way to get a company to take action on a vulnerability – what other avenue is there?

http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=157993&WT.svl=blogger1_3