One of the big news items of the day is that Microsoft’s internal database of vulnerabilities was hacked in 2013. That’s a while ago! As I was reading all of the posts talking about how these types of things should immediately be disclosed, and that it applies not only to a hack of systems, but also disclosing vulnerabilities, I found that I was arguing a bit with myself.
See “Microsoft never disclosed 2013 hack of secret vulnerability database”
When DO vulnerabilities and exploits need to be disclosed? I know some companies have policies on this to allow for time to correct whatever the issue was that was found. But then of course if they don’t talk about it, or worse yet, fix it, they’re left with a known vulnerability and no awareness of the issue (and no pressure to correct, frankly).
Of course the flip-side is that if they disclose the vulnerability prior to having a correction, the chances are much greater that additional malicious actors may further try to exploit the flaw. Sort of like providing a road map to doing bad things using the vulnerability.
I’m not sure where the answer lies. As an IT person, I’d rather know sooner than later, but just don’t tell the bad guys. 🙂 But of course that’s not realistic. At the same time, unfortunately there is value in the pressure to correct an issue that has become public knowledge. If you think about how many times you’ve seen “XYZ company has waited far too long to correct this issue” type headlines, you no doubt know that this pressure sometimes is what it takes.
What is your preference?
I suppose the answer is something along the lines of “it depends.” It’s sure to depend on the type of vulnerability, the damage it’s doing and can be doing. It also depends on the cure; what has to be done to correct it and what is the process to roll out that change?
There’s a big piece of me that is all about doing the transparency thing. It seems like that applies to disclosure of information that has been divulged that shouldn’t be, that type of thing. But vulnerabilities maybe need a more controlled transparency, if that’s a thing.
What say you?