Thursday, July 15, 2010

some thoughts on full disclosure

long time readers may recall that i'm not actually an opponent of full disclosure. i suppose this may come as a shock to some newer readers but it's true, i actually support full disclosure - but only in some very specific circumstances which i intend to refine here.

in contemplating my post about responsibility the concept of full disclosure came to mind. specifically the question of how it works. how does full disclosure convince vendors to act? why is it persuasive? where does full disclosure get it's teeth from? these are important questions because, as it turns out, the answers affect how we consider full disclosure in the context of responsible behaviour.

the concept of full disclosure is often framed so as to make it appear to be a vendor vs researcher issue where the researcher is the champion of some abstract notion of security and the vendor is being recalcitrant, perhaps even practicing outright denial that a problem exists. unfortunately this sort of framing ignores two very important players - the malicious attackers and the vendor's customers. of course the argument can be made that those two groups are taken care of when the vendor submits to the researcher's authority and fixes the vulnerability the researcher disclosed; and maybe that's true, but it glosses over a lot of the inner workings of the process.

now given the most reasonable characterization of a vendor is that their primary interest is the bottom line, it stands to reason that full disclosure persuades them to act by threatening their bottom line. the bottom line, of course, comes from their customers. but most customers don't read security forums or mailing lists. they aren't aware of any security problems, and the certainly aren't changing their behaviours or buying patterns based on things they aren't even aware of. malicious attackers, on the other hand, do read a variety of sources for information about new vulnerabilities, and they use that information to launch attacks which affect the vendor's customers. when a group of people are being victimized and the commonality between them is discovered to be the vendor's product/service, that harms the vendor's brand and that leads to fewer customers which ultimately affects the vendor's bottom line.

so let's look at full disclosure this way: it operates by giving attackers the information they need to launch attacks. the attackers then launch those attacks and victimize the customers. attackers have often proven able to produce attacks using a vulnerability faster than the vendor can create a fix for it (often a matter of days compared to weeks or months from the vendor's side). as a result the vendor rushes out a fix in order to protect as many of their customers (as much of their cash cow) as possible. at this point all is supposedly right with the world, unless you take into consideration the people who patch late or the fact that rushing things out the door generally results in poor workmanship and has the potential to cause more problems than it solves.

it needs to be said that this process, this chain of events breaks down if the attackers don't attack. they have to attack at least most of the time in order for threat to the vendor's bottom line to be credible. if full disclosure didn't result in attacks a significant amount of the time then there would be no reason for vendors to believe the disclosure would affect their bottom line and full disclosure would cease to be effective at persuading vendors to bow to the whims of researchers. consequently, whether researchers are aware of it or not or whether they're willing to admit it or not, hoping for full disclosure to affect change means hoping that attackers mount successful attacks as a result of full disclosure. they might hope that their particular disclosure is an exception to this rule, but that's more than a little unrealistic.

so if full disclosure only works by leveraging the bad guys, if it's a process that manipulates attackers into behaving in a way that forces the vendor's hand and throws innocent users under a bus along the way, then why on earth would i not be entirely against it? because under certain circumstances it's better than the alternatives. what circumstances would those be? when the attackers demonstrably already have the info without the benefit of the researcher's disclosure (better still if it's mainstream because then it's unlikely the disclosure will even raise the vulnerability's profile amongst attackers) and the vendor actually is in a state of denial. if the researcher's contribution to harming users will be demonstrably negligible and the vendor is stubborn beyond reason and really needs a swift kick in the ass then the ethical arguments against full disclosure break down.