Page 36 - index
P. 36
because the dishonest are tolerably certain to apply the knowledge practically;
and the spread of the knowledge is necessary to give fair play to those who
might suffer by ignorance.”
(Where Hobbs uses lock, substitute the word “application” and this treatise would be as relevant
in 2014 as it was more than a century-and-a-half ago.)
Today, as in the 1850s, software vendor attitudes with regard to disclosure are evolving from
“criminal” toward “helpful,” but we haven’t yet reached the point where anyone can comfortably
submit a vulnerability to any vendor. Some, like Google and Microsoft, are doing a good job of
setting the pace, and companies like Bugcrowd are making it easier to manage the process, so
we’re moving in the right direction, but the road remains dark and full of terrors.
Where things get really interesting is when you start to think at cloud-scale. For example, if we
solve for patching by delivering software-as-a-service, what happens when one finds a
vulnerability? Ostensibly if the vendor doesn’t fix it in the allotted responsible disclosure
timeframe and the vulnerability is published, then the person who discovered the vulnerability is
actively harming every single one of that vendor’s customers. Further, is it acceptable that all
vulnerabilities be fixed in 45 days?
Then the question becomes who is to blame: the person who found the vulnerability or the
vendor that didn’t patch it?
The next evolution of responsible disclosure will need a governing body that sets appropriate
deadlines (and maybe payouts) for vulnerability disclosure by interfacing between researcher
and vendor on metrics like severity, likelihood of exploitation, and impact to the vendor’s
business (i.e., patching this vulnerability means we can’t push out a major iteration which will
impact bottom line, etc.). But before we get to that point, we should err on the side of openness
and continue down the path.
About the Author
Tal Klein is vice president of strategy at cloud computing and SaaS
security provider Adallom, based in Palo Alto, Calif. Previously, Tal
was senior director of products at Bromium where he led a product
marketing strategy that helped build that company into a multi-million
dollar business. He has managed integrated product strategy at Citrix
and also spent more than a decade in the webhosting industry
developing managed infrastructure services.
36 Cyber Warnings E-Magazine – October 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
