I subscribe to the Microsoft Security Response twitter feed, and they put out an announcement about a newly disclosed exploit in the Windows XP help center.

Disclosure article: http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.html

Microsoft response: http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx


The first article at the bottom makes a case for public disclosure.

The Microsoft response wholeheartedly condemns the public disclosure.

So I put it to you: your opinion on public disclosure of new exploits?

“We must always think about things, and we must think about things as they are, not as they are said to be.” George Bernard Shaw

Public disclosure has never been in the best interest of any vendor for a lot of reasons. Firstly, it can be quite costly for them to run around and mop up their mess. Secondly, it can be quite embarassing. Thirdly, its almost always more economical for them to play damage control "condemn the researcher" than to do the right thing.

Let's take a theoretical look at what happens when a vulnerability is submitted to a vendor. Using MS as an example since we're speaking of them, let's go through the motions of submitting a bug. 1) Person in MSRC opens message and asks for more information. (n amount of time) 2) Person in MSRC acts to escalate 3) Other individuals on the team take a look at it. 4) Validation slash replication of exploitation takes place. 5) Buggy code in program investigated 6) Buggy code found and fixed 7) Marketing hype downplaying bug is created/generated Patch Tuesday (or better depending on the severity of the bug).

I figure my numbers in man hours here... Let's assume it took 2 months to determine what was going on and I use this number based on the following comment from the Daily Dave mailing list:


So two months is generous. Let's suppose 12 people took 2 hours per work week on my personal bug. 24 man hours (salary) per week * 8 weeks (2 months). 192 total hours down the tube so far. Now let's assume all these employees average a salary of $75,000.00 per year which is extremely low if you ask me, but I'm trying to be fair and theoretical here. At that salary divided by 52 weeks they'd make an estimated $1,442.31 per week or 36.06 per hour. $4,615.38 to fix this bug? Highly doubtful... That cost is ENORMOUSLY low but I'll roll with it anyway. So we have a loss of $4,615.38 multiplied by how many bugs per year here? At my rock-bottom prices, ZDI disclosed 18 advisories to date for MS which would total $83,076.84 in loss from ZDI alone.

Now be realistic about this, I figure a typical bug to average about $10-20,000.00 in costs to fix and I have read that MS pays to the tune of $1,000,000.00 and up per bug fix in R&D, fixing, pushing out, etc.. So again, if this holds true, my numbers are peanuts (obviously). Let's round things off to 10k per bug found and fixed... Using last year's data (2009):


At this rate, (10k per fix) MS just threw out $230,000.00 on bugs alone which is peanuts in comparison to their earning. Now much would you like to bet that the actual number for 2009 was probably 20x more? Remember, my numbers are ONLY based on exploit(ed)able issues. Imagine how much MS spends on investigating issues that don't produce results (false positives). So what do you think works better for companies like MS... Spending some marketing time downplaying security as a whole and security research and the researchers. Or actually providing fixes and or good code.

Business as usual dot dot dot Because businesses are in the business to (*drum roll*) make money, you have to understand the potential economic impact of a security hole being discovered and disclosed. For Microsoft, they're in the business to make money not throw it away so it boils down to damage control. If the bug triggers shaky confidence in Microsoft's stock a one percent drop means MS loses $2,310,540,000.00 at this moment based on its market cap. So you tell me, what would make more sense financially for you if you were in a business manager's shoes?

yatz, I tried to be responsive so that others may understand the numbers I get the impression there are a lot of newcomers and young individuals here who probably aren't aware of many security factors. The entire topic of full-disclosure, responsible disclosure, etc., has been argued for years on end.

My personal fave happens to be Marcus Ranum's responses on this http://www.ranum.com/security/computer_security/editorials/disclosure-1/ I've always enjoyed and learned his methods of explaining things from an alternative perspective. He also happens to be a really cool guy even though there are times he writes things and I'm tempted to fire off an email and say... WTH.

Please take a quick minute or two to check out his paper. There is a lot of truth in what he says when it comes to security and "the fame"

Personally, I am mostly against public disclosure. As sil's link by Ranum pointed, I strongly believe that fame and marketing are the motives behind public disclosure. I just could never agree that the so-called "benefits" of it can really be that beneficial.

In general though, I am not involved in exploitation (not yet, dunno what may happen later) and probably this is why I see things from this perspective.

The new Hakin9 issue (July) has an article regarding disclosure and the whole debate thing.

The new issue can be downloaded from:
http://hakin9.org/magazine/1255-securing-voip