Responsible Disclosure?

30 November -0001

I recently had another occasion to make a full disclosure and was chided by some of my colleagues for doing so. Many thought I shouldn't make a vulnerability announcement to a public list. I assume they felt that working with the vendor to fix the issue was a more responsible course of action.

In this particular case the personal information of organizational members was being leaked through a conference registration application. While I understand the desire to work with vendors to fix problems before "responsible disclosure" I continue to disagree with the practice in most situations.

In this case, and many others, as a paying member of the organization I'm basically subsidizing that organization's security. Instead of having their own responsible security people find problems with their system, I found a problem as a paying client. Because I'm a paying customer I'm justifiably upset that the organization is disclosing my personal information. However, by working with the organization I provide them with a service, for which I get no compensation. I'm basically working to improve the organization's security pro bono. Granted, this helps to protect my personal information, but the only reason the organization has my information is because I'm paying them. In turn, the organization isn't investing properly in their security, but they are being rewarded with free service from their customers. In a way they're forcing their customers to pay twice, once for the service, and once to keep the service secure. This is an all too common model, and one that needs to stop. We need to demand better security up front, and one way to get this is to shame a company into providing it.

Another important consideration to make when working with a vendor in a "responsible disclosure" model is that the other members of the organization are never aware that their information has been disclosed. In the best case they are made aware, but only after a time frame of vulnerability has elapsed while the patch was being developed. I would hope that if another member of this organization discovered that my personal information was being disclosed without my consent that they would let me know so I could re-evaluate my relationship with that organization. To withhold the information until a fix is available denies others the opportunity to rescind their information from the organization or terminate their relationship, leaving them with a window of vulnerability over which they have no control.

Thus, "responsible disclosure" does a disservice to other members while providing free service to the organization. Such practices encourage poor security because organizations can rely on their paying customers to find security problems and report them. In this way organizations can divest the responsibility for security to their clients, a double whammy when those clients are paying customers. In my situation the disclosure wouldn't allow malicious hackers to cause massive outages either, this was a customer relations flaw. To insist that security professionals always follow "responsible disclosure" doesn't help anyone, it rewards vendor bad behavior and hurts other customers.