Disclosure – done right

Last week's commentary piece dealt with the DNS disclosure debacle. This one's about disclosure done right.
Oracle’s WebLogic Server (the “artist” formerly known as BEA WebLogicserver) was found to be vulnerable to remote exploitation due to a buffer overflow caused by “improper bounds checking by the Apache Connector” – read “lack of input validation”.
Oracle released an out-of-cycle patch, while taking the opportunity to lament the fact that the security researcher KingCope, who published the flaw, did it without first speaking privately to Oracle. What this means, in actuality, is that instead of letting Oracle sit on the bug for a few weeks more, the researcher forced them to fix their problem ASAP – to the greater benefit of Oracle customers.
Last week’s op-ed dealt with the DNS disclosure debacle – this week’s incident is a case study in disclosure done right.But who is the unnamed hacker-benefactor? Well, we may never know.There’s a long history of researchers being harassed or even gagged by companies aggressively defending their past mistakes. ISS, for instance, made the headlines in 2005, when, in conjunction with Cisco, acted to prevent researcher Michael Lynn from disclosing a vulnerability in Cisco IOS – one that had been known, in its outlines, for about a year, but which had not been addressed properly.
Responsible disclosure (what Dan Kaminsky tried to do) is all well and good, only sometimes companies have no incentives to fix bugs that are known only to themselves. If that is the case, providing such incentives (even in the form of public naming and shaming) is the responsible thing to do.

About the author


Razvan Stoica is a journalist turned teacher turned publicist and
technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking.

Razvan Stoica started off writing for a science monthly and was the chief
editor of a science fiction magazine for a short while before moving on to
the University of Medicine in Bucharest where he lectured on the English
language. Recruited by Bitdefender in 2004 to add zest to the company's
online presence, he has fulfilled a bevy of roles within the company since.

In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.