.. and the debate keeps raging

ZDnet Asia had an article recentl, titled “Bug hunters, software firms in uneasy alliance” which brought up the age old full disclosure (or ‘responsible’ disclosure) debate. This prompted a slashdot thread with various comments.

My favorite pop tart, Mary Ann Davidson (chief security officer at Oracle) managed to get quoted again. As usual, she still seems to have this serious disconnect between “responsible disclosure” and “responsible patching”. Let me quote a small portion of the article, see if it jumps out at you too.

Mary Ann Davidson, chief security officer at Oracle, sees security researchers who threaten vendors with disclosure of bugs as a problem, she wrote in a recent perspective piece on News.com. “The reality is that most vendors are trying to do better in vulnerability handling. Most don’t need threats to do so,” Davidson said.

Alexander Kornbrust specializes in security of Oracle products. He went public with details on six security vulnerabilities in Oracle software in July, about two years after he reported the bugs to the software maker and fixes still had not been provided.

Oracle chided Kornbrust as irresponsible for disclosing the data.

These vulnerabilities were disclosed to Oracle on 2003-07-31 and disclosed to the public on 2005-07-19. Three of them were Cross-Site Scripting (XSS), considered by most to be trivial to patch. Who is irresponsible here?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: