One IT security topic that will never go away is vulnerability reporting - and the ethics of what truly comprises “responsible disclosure.”

As you’re probably well aware, opinions – and usually well researched ones at that – range from claims that flaws should not be disclosed by security researchers until a patch is released to the belief that all vulnerabilities, no matter how dangerous or widespread, should be released immediately.

And that’s not even touching the debate over whether or not it’s ethical to pay for vulnerabilities…

We’ll be revisiting the debate on vulnerability research on this blog again – hopefully taking in a wide variety of opinions. As always, please feel free to provide comments of your own or link to other blogs.

So, without further ado, here’s a post from Gunter Ollmann of IBM Internet Security Systems on “Disclosure vs. ethics.”

“Again, from my perspective, it is irresponsible and unjustifiable to hold an unresponsive vendor’s customers to ransom and undue risk. This is why I have trouble digesting some organizations’ disclosure guideline exceptions when dealing with Apple. Granted, Apple has an extremely poor – if not downright hostile – relationship with vulnerability researchers around the world, but that doesn’t mean that we should take our frustrations out on their customers. There are plenty of other ways to educate Apple and their customers – even the naïve ones that believe heart and soul in Apple’s boldest security claims.”
-Gunter Ollmann, Frequency X, “Disclosure vs. ethics”