Feb 16 2010
Several months ago the organizers of the 2010 RSA Conference contacted me and asked me if I’d be interested in moderating a panel on responsible disclosure. Being no dummy, my first reaction was to do some research and make sure my podcast co-host weren’t trying to pull a practical joke. If you know Rich and Zach, you know that’s not a totally unreasonable assumption to make. But it turned out to be the real deal and I’ve spent the last couple of months working with folks and trying to organize what promises to be one of the highlights of the conference, at least for me.
I’m not a vulnerability researcher; I don’t work for a major software vendor. I am a customer of many of the same software vendors we all used on a daily basis and the vulnerability disclosure debate impacts my job as a security professional in more ways than I care to imagine. My first real exposure to the debate came in 2005 when Cisco hit Michael Lynn with a gag order just before his presentation on a major vulnerability at Black Hat. I was outraged that Cisco would treat Micheal Lynn like a criminal rather than owning up to the problem and creating a patch. I’ve mellowed a little since then but I’ve still kept up with the debate and the different ideas behind full disclosure, no disclosure and responsible disclosure. But what’s more than a little disheartening is that the conversation really hasn’t changed much since 2005 and researchers and vendors are still battling it out on a daily basis. We’re seeing the idea of responsible disclosure take the center of the debate and a few vendors have improved greatly, but as an industry, we still have a long way to go in actually improving the situation.
One of the problems, as I see it, is that we haven’t really defined what the ‘responsible’ in responsible disclosure really means. If we’re going to call it responsible disclosure, we have to break down and define what responsibilities vendor and researcher actually have to each other and the public. A second problem is that we’ve been treating this discussion as only having two sides, when there’s really a third actor on the stage, the customer. While the vendors and the researchers spend time yelling and sniping at each other it’s the people who’ve spent money on software that really suffer from the fallout of the arguments. We, the users and purchasers of software, don’t really have much of a voice in the conversation. At RSA 2010, we’re going to change that, at least for the day.
Join me on Wednesday, March 3rd at 10:40 am to discuss with a panel of industry experts exactly what responsible disclosure means to them and what responsibilities they owe each other. And we’ll have the people who are actually impacted by the debate involved to talk about how the actions of both researchers and software vendors affect their life on a daily basis. Michael Barrett, CISO of PayPal and Tim Stanley, CISO of Continental Airlines will get a chance to tell vendors and researchers that the current system isn’t working. HD Moore of the Metasploit Project and Steve Dispensa from Phone Factor will have a chance to air their own concerns about the disclosure process as researchers. Finally Katie Moussouris, Senior Security Strategist for Microsoft and Brad Arkin, Director of Product Security and Privacy can talk about how the process is evolving within their corporations. Given who’s involved, it promises to be fun and I won’t be surprised if there’s more than a little heat to the debate.
To give you a little taste of what’s to come, please listen to several short interviews with Katie, Steve and Tim where they lay out the basis for their stance on responsible disclosure. The discussion was calm during the interviews, but given how passionate each of these people are about the impact of this debate, expect some very interesting points to be made and maybe even some changes to how you view ‘responsible disclosure’