Waffling over disclosure

Is it better for a company to disclose the full scope of a particular vulnerability once a fix is available, or does it have an obligation to protect its customers by withholding details that would aid an attacker?

          The month of August wasn't a good one for many of you who spent the dog days patching your servers. Whether you were fending off the Code Red worm or installing Novell's mysterious Padlock patch on your GroupWise servers, there was plenty to keep you busy.

          If you missed the news, last month Novell announced the existence of a serious vulnerability in its GroupWise collaboration and messaging software. Weeks later, the company still isn't talking about the vulnerability, which affects only GroupWise 6 servers and GroupWise 5.5 servers with the Enhancement Pack loaded. Interestingly enough, Novell's website indicated that the vulnerability resulted from a flaw that has been present in GroupWise since Version 4.2.

          To its credit, Novell released patches for the vulnerability when it fessed up to the hole in GroupWise. The bulletin didn't leave much ambiguity about the seriousness of the problem; Novell was advising affected GroupWise shops to apply patches ASAP, "within hours." I don't know about you, but to me that means now, not when you can buttonhole an executive to get permission. The mail I've received from readers indicates that some local Novell resellers went as far as phoning customers to make sure that knowledge of the hole -- and the patch -- got into the hands of the people who needed it.

          A few of you wondered why Novell's alert didn't include details of the vulnerability. It's a tradition of long standing in the computing community that full disclosure of vulnerabilities, and the exploits taking advantage of them is the best practice, because it makes for educated end-users, advances the art, etc. Elias Levy recently wrote an eloquent piece for the Security Focus website -- published just before the Padlock vulnerability was announced -- advocating full disclosure, and I closed my browser window convinced of the virtue of that practice.

          But I've thought about it further, and weeks later, I'm no longer so sure. I'll take a chance on being called wishy-washy, but I believe that most of you agree with me that we're caught in a dilemma. Is it better to disclose the full scope of a particular vulnerability once a fix is available, or does a company have an obligation to protect its customers by withholding details that would aid an attacker? Certainly publishing details of an exploit in advance of a fix is asking for trouble, and certainly irresponsible.

          I doubt that there is a hard and fast rule that one can apply to disclosing vulnerabilities. Although I agree with many of my fellow pundits in supporting full disclosure, there may be cases where a need-to-know basis is appropriate. Novell's gurus are doing the right thing for customers in the short term, but I hope they don't sit on the details of the Padlock vulnerability for too much longer.

          PJ Connolly covers groupware, messaging, networking, and security for the InfoWorld US Test Center.

Join the newsletter!

Error: Please check your email address.

Tags security

More about NovellSecurity Focus

Show Comments
[]