Responsible Disclosure is Responsible
The Google Security Team just posted a blog entry attempting to restore meaning to “responsible disclosure.” It is absolutely worth reading.
As I see it, the phrase “responsible disclosure” has been stripped of meaning by vendors who use it as an excuse not to prioritize their customers’ computer security. Irresponsible vendors have tried to make “responsible disclosure” mean a one-sided arrangement in which vendors get to set all the timelines for disclosure of all vulnerabilities. This irresponsible attempt at redefinition is inevitably alienating “white hat” software vulnerability researchers, as it creates a more vulnerable software ecosystem.
Fundamentally, “responsible disclosure” means that the researcher makes a best effort to put the needs of the end user first. When it is reasonable to assume that the vulnerability is newly discovered, it helps the end user to disclose first to the maintainer of the software (whether that’s a vendor or otherwise) first. It also helps the end user to give the maintainer time to fix it right so that the vulnerability is really fixed and new vulnerabilities are not created. But when the maintainer doesn’t bother to give the vulnerability priority, that just gives attackers more time to discover and make use of the vulnerability to subvert the end users’ systems, which does not serve the end users’ interests.
When there is reason to think that a vulnerability is known outside of the responsible security investigation community, it is clearly responsible to immediately disclose at least enough information to allow security-conscious end users secure their systems against attack. It should also be noted that that is almost always enough information to allow the unscrupulous to separately discover and make use of the vulnerability, so in this case responsible handling of the security flaw involves the maintainer making it a top priority to find an immediate mitigation, even if further work is required (also at high priority) to fully resolve the issue.
Some have suggested that the “responsible disclosure” emperor is wearing no clothes. I disagree. I think the problem is that irresponsible vendors have substituted an unclothed mannequin for the emperor, and are trying to pass off irresponsible handling of vulnerabilities as “responsible disclosure”.
Responsible disclosure must be, first of all, responsible, and the responsibility is primarily to the end user. Security disclosure that primarily addresses vendor convenience is irresponsible.