[Development] Proposal: Time to decide what security policy the Qt Project will use (not Trolltech/Nokia/Digia)
thiago.macieira at intel.com
Thu Oct 25 19:08:25 CEST 2012
On quinta-feira, 25 de outubro de 2012 00.18.32, d3fault wrote:
> Qt has corporate roots. Responsible Disclosure has been in place since
> the Trolltech days. Corporations tend to prefer Responsible Disclosure
> because it pleases their commercial customers. Commercial entities
> like to keep their end users in the dark because vulnerabilities
> reflect poorly on the company and affect their bottom line.
Against my judgement, I'm replying to you. I'm doing that *again* only because
this is about security. So let's get on with it.
Your characterisation above is incorrect. Corporations may have profit motives,
and I'm not saying they don't. But your characterisation is somewhere between
blissfully ignorant and flat-out lying and FUD: commercial entities have good
people who make intelligent and logical decisions.
But this is not about them. This is about the Qt Project. So let's get on with
Note: Intel practices Responsible Disclosure, but this is not about my
> So for the sake of argument, let's say it has none. We should then
> compare the pros and cons of Responsible vs. Full Disclosure .
> As of yet, no logically sound arguments (that haven't been re-butted
> by yours truly) have been presented in favor of Responsible
> Disclosure. Lots of opinions have been presented, but opinions have
> very little weight against logic. The only exception to the "no
> arguments" is script kiddies, but script kiddies are nothing compared
> to crackers. Responsible Disclosure both extends the window of
> opportunity for crackers and also increases the vulnerability's
> overall exposure... leading to more crackers finding and exploiting it
> before public disclosure.
Here are the arguments in favour of Responsible Disclosure:
While there are many zero-day exploits, assuming that all security issues are
known to exploiters is disingenuous. What's more important in this is that the
level of competence and resources in the exploit community varies a lot. I can
agree that exploiters with vast resources may learn the security issues before
the full disclosure happens, but I definitely do not agree that all exploiters
Therefore, disclosing the details to everyone is irresponsible. This enables
attackers with little resources to gain access to details that they may
otherwise not have found out. This increases the attack surface and compounds
Another argument is that disclosing too early serves little benefit. More to
the point, disclosing the details of a security issue before a workaround or
fix is available serves very few. There's a waterfall where we lose people upon
- most people will not be paying attention
- of those that are paying attention, we lose a great part because the
details are too technical and they are not able to comprehend them,
not even to determine whether they are affected by the issue
- of those that did understand the details, we also lose a great part because
they are unable to come up with a fix or solution for their affected systems,
short of shutting them down completely
Let's be generous and say that 3% of the community is able to act on the
fully-disclosed security information before a fix or workaround is published.
That means 97% is still vulnerable, and we've just enabled low-resource
attackers to attack.
Instead, Responsible Disclosure requests that the sensitive information be
treated in a closed circle until a workaround or, preferably, a fix is
available. This closed circle should publish the inoculation mechanisms as
soon as possible, as well as the proper fix if that's the case. By releasing
the information on how to close the vulnerability before the details of the
attack vector, we accomplish:
- a high signal/noise ratio on the disclosures, which should cause people to
pay more attention
- relevant information for the affected parties on what steps they should take
to protect themselves
- little information for the attackers on how to exploit the issue
This isn't coming from just me. I've taken the time to talk to a security
expert, who explained the details to me. That has reinforced what I already
> I really hope we choose Full Disclosure as our security model, as it
> gives the _users_ the best opportunity to protect both themselves and
> their end-users.
I do not and my reasons are above.
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 190 bytes
Desc: This is a digitally signed message part.
More information about the Development