Mozilla: Hackers control bug disclosure

Filed under
Moz/FF

The software industry for years has pushed guidelines for vulnerability disclosure. Those "responsible disclosure" efforts have had some effect, but security researchers maintain control over the process, Mozilla security chief Window Snyder said in a panel discussion at the ShmooCon hacker event here.

The software industry for years has pushed guidelines for vulnerability disclosure. Those "responsible disclosure" efforts have had some effect, but security researchers maintain control over the process, Mozilla security chief Window Snyder said in a panel discussion at the ShmooCon hacker event here.

"The researcher has all the power," Snyder said. "They control when they disclose it, and they control the idea whether or not the vendor responds in time."

Releasing vulnerability details has been hot topic for years. The software industry advocates private disclosure of a bug and time to fix it before a researcher goes public, a practice the industry calls responsible disclosure. After all, early release could help criminals to launch cyberattacks and damage a vendor's reputation.

Security researchers who follow the industry's guidelines are often frustrated by a lack of response from software makers.

Full Story.