I was watching Matthew Watchinski walk through the events and activities behind our Adobe vulnerability this past Feb (see US CERT’s “Adobe Acrobat and Reader Vulnerability TA09-051A“). What struck me about Matt’s talk is a statement he made near the end:
“… Full Disclosure vs Non-Disclosure debate is dead. I learned this because my E-mail box did not fill up. I got like 4 E-mails. They said like ‘thank you for helping to protect my network ….”
Is the debate “dead?” Not based on Matt’s data points. What happened with this issue was not a matter of “Full Disclosure vs Non-Disclosure.” What happened was directly related to a business not being ready to respond to an [[Active Exploit]]. Active Exploits should trigger a company’s emergency response. The CSIRT, Corporate Communications, Exec Staff should all be marching to the same tune, clearly and calmly expressing to their customers what they can do right now to mitigate the active exploit and when they expect fixes – even if the fixes will take a while.
This is not rocket science. This is 101 of crisis management. Vendors who build products have to plan and be ready for vulnerabilities which become actively exploited. The [[Cyber-Criminal Economy]] increases this risk (see Matt’s talk). To do otherwise is a disservice to the customers.
This “be prepared” responsibility is not solely the vendor’s responsibility. Each operator who runs a network should be asking their vendors “what is your emergency response plan if you have a vulnerability which goes active exploit.” The operator has to know what they can count on. If the network is a network that supports [[life and limb services]], then asking the question to their vendor should be a regulatory requirement.
IMHO, the debate between “full disclosure vs non-disclosure” is not dead. What we’ve learned through this Adobe experience is that all vendors need to be prepared to protect their customers with a crisis reaction plan. If they don’t, others will step forward in the best interest of the Internet’s Civic Society and help everyone protect themselves.
BTW – I encourage viewing of Matt’s presentation. Worth the time investment.
DojoSec Monthly Briefings – April 2009 – Matthew Watchinski from Marcus Carey on Vimeo.