It's become great sport — and often profitable — to identify vulnerabilities in applications, operating systems, and LAN/WAN device controlling software. These activities are not in themselves a problem. It's the efforts of white hat hackers that help vendors tighten up product security and increase user awareness of high-risk environments or actions. But when greed or the need for 15 minutes of fame results in the untimely public disclosure of discovered weaknesses, some white hats start looking a little gray.
I'm well aware of the arguments that claim vendors are slow to respond to reported vulnerabilities. Although progress has been made, companies such as Microsoft, Oracle, and other major suppliers must do better. Every effort must be made to shore up breaches in software security as soon as possible after identified. Excuses about modification cycle times must not get in the way of stepping up to deal responsibly with consumer risk. However, I don't believe this gives anyone the right to publicly disclose product vulnerabilities before they are properly dealt with.
Claims that public disclosure helps protect consumers carry little weight. Most consumers have no idea what to do with the information. They rely on vendor patches and product updates to maintain system assurance. The only winners, besides the person making the announcement, are the black hat hackers who haven't yet found the weakness themselves. I believe the most common reason some white hats make their discoveries public is recognition by their peers or by potential security company employers.
The debate between these two factions about the appropriateness of public disclosure has only one winner — cybercriminals. Black hats who don't have to work as hard to discover vulnerabilities on their own. The clear losers are the rest of us who use products for which assurance is degraded as additional attack vectors are made public.
The answer, as in most debates like this one, is cooperation by both sides. White hats must work closely with vendors to share information about the flaws they find. On the other hand, vendors must significantly shorten the time between discovery and remediation. Consumers will win only when posturing on both sides ends and sincere effort at securing personal, business, and national infrastructure begins.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.