A Question of “When?”

July 29, 2010

Over the past 6 weeks, there has been a raging debate within the security community over the topic of “when.” I’m referring to the point at which it’s considered acceptable to publically release details regarding vulnerabilities one has discovered in a product after informing the vender who created said product.

The discussion began the first week of June when Google researcher Tavis Ormandy publically published a substantial flaw in the Windows Support module built into the Windows operating system… a mere five days after he informed Microsoft about the exploit. His rationale was that he felt Microsoft wasn’t taking him seriously, so he decided to force the issue by making it public. A month later, 25,000+ systems are compromised worldwide because Tavis not only explained the exploit in great detail, but he also published proof of concept code samples for the world to see. Not surprisingly, the malware that was seen a few days after he went public was directly based upon his proof of concept code.

The debate continues today with sides dividing between Google (who has stated they back Tavis’ decision to publish) and Microsoft (who holds Tavis responsible for the resulting compromised PCs).

This is where the question of “when” comes into the equation… how much time is considered “reasonable” to give developers the ability to address vulnerabilities in code? Is this a fixed value, do you give less time for a smaller product or perhaps more for a complete operating system? Considering that Microsoft releases patches on a 30-day cycle (normally the first Tuesday of the month – “Patch Tuesday”), and Tavis informed Microsoft the first week of June, would you have thought it reasonable for Tavis to sit on the information for at least the full patch cycle before going public? Not only does the exploit need to be researched but the resulting patch needs to be thoroughly tested to see if something else breaks as a result.

So what do you feel is a reasonable answer for “when”?

Was this article helpful?

About Leigh
If RJS employed “The Most Interesting Man in the World,” one could argue our very own Network Security Engineer, Leigh Reimers, just might fit the bill. Leigh is a black-belt karate master and former United States Army tough guy. At RJS, Leigh is a “jack-of-all-trades,” assisting with network administration and support on the off-chance he isn’t solving difficult security conundrums as a certified Sophos Advanced Sales and Technology Engineer.

3 Comments on “A Question of “When?””

1 josh said at 12:37 pm on July 29th, 2010:
Leigh –

What do you feel is a reasonable amount of time? Do you think Tavis was in the wrong?
2 hewhocutsdown said at 3:57 pm on July 29th, 2010:
Static time limits don’t make sense, a lot of it will be contextual; what’s the flaw, who does it affect, what has been the vendor’s response to this particular hole, what have their typical responses been, etc?

This particular situation seems pretty iffy; Microsoft’s had a mixed track record but Leigh’s point regarding their existing patch cycle is a valid one.
3 leigh said at 10:33 am on July 30th, 2010:
I would have given MS a full patch cycle (30 days) to address it.

Tavis informed MS on June 4th, and from reading interviews on the subject, he was in negotiations with MS as to a patch release date to address the exploit. Apparently he didn’t like the answers MS gave him regarding a time line, so he turned around and unloaded everything he had about the exploit including proof of concept code on June 9th.

4 days isn’t enough time for any vender to respond, that was just plain irresponsible, this smacks more of someone with an axe to grind than anything else, someone wanting to prove a point regardless of how many people get hurt in the process.

-Leigh