Disclosure - done right

Oracle’s WebLogic Server (the “artist” formerly known as BEA WebLogicserver) was found to be vulnerable to remote exploitation due to a buffer overflow caused by “improper bounds checking by the Apache Connector” – read “lack of input validation”.

Oracle released an out-of-cycle patch, while taking the opportunity to lament the fact that the security researcher KingCope, who published the flaw, did it without first speaking privately to Oracle. What this means, in actuality, is that instead of letting Oracle sit on the bug for a few weeks more, the researcher forced them to fix their problem ASAP – to the greater benefit of Oracle customers.

Last week’s op-ed dealt with the DNS disclosure debacle – this week’s incident is a case study in disclosure done right.But who is the unnamed hacker-benefactor? Well, we may never know.There’s a long history of researchers being harassed or even gagged by companies aggressively defending their past mistakes. ISS, for instance, made the headlines in 2005, when, in conjunction with Cisco, acted to prevent researcher Michael Lynn from disclosing a vulnerability in Cisco IOS – one that had been known, in its outlines, for about a year, but which had not been addressed properly.

Responsible disclosure (what Dan Kaminsky tried to do) is all well and good, only sometimes companies have no incentives to fix bugs that are known only to themselves. If that is the case, providing such incentives (even in the form of public naming and shaming) is the responsible thing to do.