Ethics of Full Disclosure of Security Holes

2901 Words6 Pages

Ethics of Full Disclosure of Security Holes

Introduction

Security breaches are making big headlines nowadays, and Microsoft is leading the charge. Its flagship operating systems and office suite are so bulky and complex, that it is impossible to be bug-free. The system administrators (the white hats) are up to their noses plugging all the holes from super hackers (the black hats). Yet they are also facing attack from another front – those that post vulnerabilities on the internet (the gray hats).

The gray hats are hackers that find security vulnerabilities and post them on the internet, forcing system administrators to patch up the holes. Usually, they inform the vendor ahead of time. Then, if they deem the company is not taking them seriously, and malicious hackers will exploit the threat, they post it on a forum. Though acting in good faith, the ethics of full disclosure of security holes are in debate, including: how full disclosure can cause more harm then good, how long vendors should be allowed to fix the problem, and liabilities for posting on the internet.

Issue 1: Full disclosure of security-related information can inflict more damage than good. You are showing people how to break into systems.

The debate about vulnerability-disclosure policies involves two main parties. Researchers at security companies say they want to get their latest findings out quickly to hasten software makers' response to bugs. Software makers, on the other hand, say they aren't given enough time to deal with a problem, and that publicizing it simply alerts malicious hackers to an opportunity.

There are super hackers out there who find security vulnerabilities, then write a script up on the internet, with one or two l...

... middle of paper ...

...on't publish code, 17 Oct. 2001, CNet News.com, 11 Mar. 2004, <http://news.com.com/2100-1001_3-274577.html?tag=st_rn>

6. Lemos, Robert, Microsoft developers feel Windows pain, 7 Feb 2002, CNet News.com, 12 Mar. 2004, < http://news.com.com/2100-1001_3-832048.html>

7. Lemos, Robert, When is Hacking a Crime? 26 Sept 2002, ZDNetNews, 15 Mar. 2004, <http://www.frame4.com/php/printout88.html>

8. Fried, Ina, Attack concerns slow Microsoft's pace, 16 Mar. 2004, CNet News.com, 16 March 2004, <http://zdnet.com.com/2100-1104_2-5173575.html>

9. Shankland, Stephen, Governements to See Windows Code, 14 Jan 2003, CNet News.com, 14 March 2004, <http://news.com.com/2100-1001-980666.html?tag=nl>

10. Lemos, Robert, New laws make hacking a black-and-white choice, 23 Sept 2002, CNet News.com, 14 March 2004, <http://news.com.com/2009-1001_3-958129.html>

Open Document