Some of you have first-hand experience with the discussions around full disclosure. Enumerating Bugtraq moderated by Aleph One, SecurityFocus and the full-disclosure mailing list is a heavily condensed view of the problem. The term full disclosure actually originates from the problems locksmiths had with weaknesses of locks. The discussion is over a hundred years old and opinion is still divided on the matter, not only among the Internet security community. So if full disclosure and its cryptographic cousin, the Kerckhoffs’s principle, was „discovered“ in the 19th century why are we still arguing about it? Thomas Mackenzie will talk about how to deal with exposing vulnerabilities in his talk at DeepSec 2011.
When it comes down to releasing vulnerabilities there are no right or wrong ways to do it. The process of responsible disclosure and releasing an advisory has not been agreed upon despite efforts to the contrary (for example the pioneer work done by Rain Forest Puppy), and because of this, they are handled in a number of ways. Add unexpected third parties, uncooperative vendors, and potentially lawyers into the mix and you’ve got quite the party (minus all the fun and the drinks). Thomas’ talk aims to educate individuals about the process of responsible disclosure, commons pitfalls and mistakes, and various techniques to make your lives easier if you ever find yourself in a situation where you just made calc.exe (or worse) pop up on your friend’s box using a previously unknown technique. A number of various personal stories will also be included to enlighten, educate, and hopefully humour the audience about the experience of the chess game that is responsible disclosure (you might also want to watch Jeff Moss’ talk held at DeepSec 2007 about his experiences with a talk about Cisco IOS vulnerabilities). Thomas will be talking about an online gateway that he plans to develop and to help researchers and teams find security contacts and develop their own security policies in house. Thomas will also briefly mention third parties like VUPEN, ZDI, upSploit etc. and how they can help to manage your vulnerabilities.
The talk is recommended to everyone sitting on either side of a vulnerability. It doesn’t matter if you discover a bug or are a victim of it. Proper disclosure of information regarding security vulnerabilities is one of the cornerstones of security research. Therefore you should know as much as you can about it.