Irresponsible disclosure? That’s a big fat zero

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Digital zeroBrian Krebs has published an interesting interview on his KrebsOnSecurity blog with Evgeny Legerov, the founder of Russian security firm Intevydis.

In the interview Legerov reveals that he plans to take the controversial step of releasing details of previously undocumented zero-day vulnerabilities in several widely-used software products, as he is fed up with software vendors not taking the security holes seriously:

"After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called 'responsible disclosure' policy," Legerov said. For example, he said, "there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor."

I can understand Legerov’s frustration but I think he’s wrong to release information about unpatched vulnerabilities. Such an approach may inevitably lead to innocent computer users finding their systems compromised by hackers exploiting the zero-day vulnerabilities before a patch is available.

Sign up to our free newsletter.
Security news, advice, and tips.

What I think Legerov has failed to realise is that there is another way to get vulnerabilities fixed, whilst still behaving responsibly.

If a software vendor has failed to respond in an appropriate time to a vulnerability that exists in its shipping code then you don’t have to go public with details of the security hole. Instead, you could use the power of the media to your advantage.

Rather than posting detailed specifics of how to exploit the vulnerability on the internet, work with a friendly journalist. Demonstrate the security hole to a journalist, perhaps even make a video showing the problem (but *without* giving away details of how anyone else could replicate the issue), and rant as loud and long as you like about how frustrated you are with the software vendor.

It will make a great news story – and that will pressure the vendor to take the necessary steps.

Irresponsibly disclosing details of vulnerabilities is effectively putting a gun against the head of a software vendor, but risks shooting innocent users too. If you’ve found a serious vulnerability then a security journalist will be happy to discuss it, publicise it with their readers, and put pressure on the vendor to take appropriate action.

* Image source: Ferran Nogués’ Flickr photostream (Creative Commons)


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.