originally posted elsewhere 2012.08.17.
The Full Disclosure folks say that vulnerabilities should be disclose immediately. Their arguments have some merits. The Responsible Disclosure folks say that the vendor should have n number of weeks to get a patch out, then it goes to Full Disclosure. That has some merits as well, but the trouble is the public doesn’t know there’s a problem during the n weeks. The calculation is a balance of how many people will be protected vs. how many people will be harmed.
It occurs to me that a third way, call it ‘Informed Disclosure’ for now, would be to:
Make an announcement that x number of vulnerabilities have been discovered in the foo feature of bar and list known workarounds.
Wait the n number of weeks
move to Full Disclosure
as a way to avoid the problem with Responsible Disclosure but still give the vendor reasonable time to react. e.g. ‘Informed Disclosure’ may say:
ISSUE-001: Acrobat Reader has a vulnerability with JavaScript objects embedded in documents that can cause a smashed stack. Disable JavaScript in Acrobat Reader to avoid this problem.
and then send Adobe the exploit code, which will be published in 45 days. This also removes the illusion of potential blackmail from security researchers, because the public has on-record information that the disclosure will be published, regardless of the action or inaction by the vendor.
Surely others have taken this approach, but I can’t find a name attached to it — anybody?