[Development] Proposal: Change Qt's Security Policy to Full Disclosure
d3fault
d3faultdotxbe at gmail.com
Mon Oct 22 01:15:35 CEST 2012
>
> http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
>
Interesting article, but it tells us nothing. They merely talk about
Full vs. Responsible Disclosure, and they admit that it's an ongoing
debate. The overall conclusion after 12 pages in the article: "the
disclosure of zero-day vulnerabilities causes a significant risk for
end-users, as the volume of attacks increases by up to 5 orders of
magnitude". Common sense lol, and zero day comes no matter what.
Responsible Disclosure is Security-Through-Obscurity, and
Security-Through-Obscurity DOES NOT WORK. You are pushing back zero
day and claiming it's a good thing. Not only do crackers who already
have the vulnerability get to use it for that much longer, but now
you're also widening the exposure (ever so slightly) of the
vulnerability. Now you not only have those 1 or 2 crackers to worry
about, but also every "analyst" in the closed security group, their
wives, their children, ALL the software they run on the machine in
which they analyze (all it takes is one bug), etc etc etc. There are
infinite ways for the information to be leaked unintentionally.
Scenario:
A vulnerability exists.
One cracker finds it and keeps it all to himself.
30 days later, one analyst finds it and reports it to this private
network of security analyst friends (a few thousand people perhaps?).
2 weeks later, the vulnerability is publicly disclosed and the fix is released.
The 2 weeks in which the thousands of "trusted" individuals have
access to the information is much more dangerous than the 30 days in
which one cracker has it all to himself. The solo cracker can only do
so much by himself (I'm certainly not claiming we shouldn't be afraid
of him, but that's a different discussion than Full vs. Responsible
Disclosure).
Rationale: During those two weeks, the likelihood that the information
escapes into the wild (into the underground cracker circles worldwide
where information flows like water) increases tremendously.
Check and mate,
d3fault
More information about the Development
mailing list