Partially disclosing vulnerabilities does no one any good

Partially disclosing vulnerabilities and building up hype before disclosing full details appears to be on the increase. Only problem is that it isn't doing anyone any good.

What if I was to tell you that I have a secret that could end the Internet as you know it? What if I was only going to tell you at a fee-based conference once speculation had gone on for a month or more? How would you respond to that?

If what I held ended up to be nothing, then it was nothing more than a waste of everyone's time and effort and I appear to have conned you out of some money.

If what I held actually was something, then it could almost be considered information blackmail - holding critical information hostage and refusing to tell anyone any details beyond initial scaremongering until some arbitrary set of conditions had been met.

Whatever the outcome, you are sure to be more reluctant to listen to my pronouncements in the future.

Unfortunately, for some strange reason, it seems that a number of Information Security experts have decided upon this course of action when alerting people to a problem that they have discovered. At the moment, the approach seems to be having the results that the researchers are intending - to raise awareness that a problem exists, so that when the information is finally released people are ready to do something about it. Whether more people actually end up doing something or not is another problem.

Through repeated quasi-disclosures, the Information Security industry faces the risk of becoming the boy who cried wolf. If this pattern of hype-disclosure continues for long enough, eventually new announcements are going to be completely ignored by the wider market. Enterprising attackers will always be on the lookout for new weaknesses to target, so it could be argued that hinting at a vulnerability is actually going to cause more harm than good to the end user.

Those who are cynically minded would also argue that the discoverer is only highlighting their discovery to try and sell you something, which conveniently is either a magic bullet that stops attacks against the vulnerability cold or a service that would have identified your vulnerability to it long before it was made semi-public. Unfortunately this is becoming all too-common, especially when disclosure happens via press release from an Information Security vendor.

Dan Kaminsky's DNS flaw that he (re)discovered was a real problem (given the number of vendors that were vulnerable), but how the disclosure was handled left many disappointed. Other vendors seem to be treading the same path, with the latest in the range of speculative announcements being the normally reliable GNUCITIZEN group, who have alerted to a supposedly new technique that is claimed to lead to universal website hijacking.

But, based on the information published, it isn't as bad as the initial claim seems to make out. It is a vulnerability, or set of vulnerabilities, that has been found with devices that are (currently believed to be Web Application Firewalls [WAF]) placed between a site and the rest of the internet. It is like saying that because a commonly used antivirus suite has some critical vulnerabilities (which most already do), that everyone's computer can be compromised and the end of the world is nigh. Come October 30, the details are to be released at a fee-based conference, but since the vulnerability details were sold to a vulnerability trader, the details of the vulnerability may not even be made public at that time.

When vendors move to close down a talk, it is somewhat different. Jeremiah Grossman and Robert "RSnake" Hansen were to speak on "ClickJacking" at a recent security conference, but vendor requests led to the cancellation of the talk. We are going to have to wait until the vendors involved are able to release patches to address the suppressed issue, but early estimates, based on the limited information that has been made public so far, is that it is a reappearance of a previously discovered, but not widely known, issue. Claims are that it dates from at least 2002, but the description of the vulnerability makes it sound like something that beginning web developers could stumble across when learning object placement on web pages, so it could be even older.

At the least, the severity of the issue seems to have caught the rediscoverers completely by surprise. RSnake even acknowledges that how the issue is being handled, as far as partial disclosure goes, is drawing parallels to many previous cases and it still could end up being messy for them.

What is happening is not Full Disclosure, rather it is disclosure up to the point where you can leverage attention to you and your company (and possibly a financial result). It is debatable as to whether it is even Responsible Disclosure.

The whole partial disclosure trend may be considered an unavoidable result of the commercialisation of Information Security and so it will be something that isn't going to go away and we'll have to learn to manage information released through such processes like we already do for other disclosure practices.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags dns flawclickjackingvulnerability disclosure

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carl Jongsma

Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?