originally posted elsewhere 2012.08.17.
The Full Disclosure folks say that vulnerabilities should be disclose immediately. Their arguments have some merits. The Responsible Disclosure folks say that the vendor should have n number of weeks to get a patch out, then it goes to Full Disclosure. That has some merits as well, but the trouble is the public doesn’t know there’s a problem during the n weeks. The calculation is a balance of how many people will be protected vs. how many people will be harmed.
It occurs to me that a third way, call it ‘Informed Disclosure’ for now, would be to:
Make an announcement that x number of vulnerabilities have been discovered in the foo feature of bar and list known workarounds.
Wait the n number of weeks
move to Full Disclosure
as a way to avoid the problem with Responsible Disclosure but still give the vendor reasonable time to react. e.g. ‘Informed Disclosure’ may say:
and then send Adobe the exploit code, which will be published in 45 days. This also removes the illusion of potential blackmail from security researchers, because the public has on-record information that the disclosure will be published, regardless of the action or inaction by the vendor.
Surely others have taken this approach, but I can’t find a name attached to it — anybody?