Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

1 disclosure in practice

October 2nd, 2007 · No Comments ·

What is responsible disclosure or full disclosure and what might it not be?
Information security researchers work in a field that does not exhibit characteristics of a well developed scientific area of work. For instance, neither paradigms nor terminology or values have the same meaning amongst fellow researchers as is the case in well established scientific disciplines.
We are starting a series of postings that addresses this issue in some more depth. All hyperlinks provide you with detailed definitions of these terms from the CyTRAP glossary – getting the jargon right — (Please click on the link, Login as guest – click on this link again and voila free access)

This is the beginning of a 4-part series regarding terms used in the field of information security and its maturity in having a shared system of beliefs, terms and interpretation of the latter.

As our discussions will reveal, we have come a long way but we are still far off being a mature discipline with shared systems of beliefs and paradigms. In fact, things can mean vastly different things to people who do the same type of work.

We have discussed that programmers make errors and – bugs (Please click on the link, Login as guest – click on this link again and voila free access) could result in failures of a program, and finally, failures could result in malfunctioning.

The above and the definitions we provided are of particularly importance, since the bug or fault issue is at the core of what what every programmer needs to know and if the latter does not get is or her act together ….. system administrators will continue to have to deal with updates and patches.

For most users, a major conern regarding patches and bugs is the monthly update or patch Tuesday for Microsoft products. However, these patches may not be released until months after Microsoft has received information from a discoverer of the bug or vulnerability. As well, opinions regarding when disclosure should be done and how or when it is the appropriate time to do so diverge quite a bit.

The difficulty is also to define and agree upon the term responsible disclosure sometimes also referred to as responsible vulnerability disclosure (Please click on the link, Login as guest – click on this link again and voila free access).

Defining the above terms warrants some discussion. The challenge in defining this term lies in the eye of the beholder, such as the:
– party who discovered vulnerability,

– software vendor,

– user of software and

– public at large (i.e. it might have an effect upon critical infrastructure)


Improving of information security requires that we come to an agreement regarding the terms, paradigms and approaches we use. We have made an intitial attempt to put forward some definitions that should help in clarifying things further. Nonetheless, more work is needed.

For instance, the problem arises if a software vendor, such as Microsoft, feels that another party has not practiced responsible disclosure because some information is being released before Microsoft has fixed some internal problems (e.g., patch is not distributed properly via automatic update and other systems). Who is right?
Stay tuned, we bring you more about these issues next week.


To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.


→ No CommentsTags: Uncategorized