When Is the Right Time to Disclose a Flaw?

Michael Lynn quit his job in order to give a presentation to the Black Hat conference about a serious flaw in Cisco's IOS, the operating system in use on the majority of Internet infrastructure devices out there. The flaw allows attackers to run arbitrary code on the devices, which means we could be seeing router worms in the very near future.

Cisco and ISS both tried to stop Lynn from giving his presentation, claiming that the presentation compromised their intellectual property.

There are those who believe that the vendor should be given time to fix a flaw before it is disclosed to the public. Others believe in full, immediate disclosure. The reason that Lynn gave for his actions is that “It has been confirmed that bad people are working on this [compromising IOS]. The right thing to do here is to make sure that everyone knows that it’s vulnerable.”

If the goal in preventing disclosure of a security flaw is to prevent the bad guys from getting it, then in this case, if Lynn is correct, then it's too late. A simple litmus test might be to ask whether the Bad Guys already know. If a researcher discovers a vulnerability that he is reasonably sure others don't know about, it seems perfectly reasonable to disclose the vulnerability to the vendor and give them plenty of time to fix it. However, when it's likely that the Bad Guys are working on compromises already, people need to be prepared. In this case, if the "confirmation" turns out to be correct, I think Cisco and ISS have no leg to stand on and in fact should be ashamed of themselves for hiding the information, and Michael Lynn is a hero. On the other hand, if Lynn didn't really know that "bad people are working on this," then as far as I'm concerned he's on his own.

Share this

It seems clear to me that

It seems clear to me that you should notify the vendor of the full details immediately. And that you should notify the public of the exploit's existence.

But its not clear that you should notify the public of the details immediately. That gains good people some additional information about how to defend themselves, but it gains bad people tons of information about how to attack. It gives the attackers a head start on the defenders.

Like Sean says, it seems to me that how much time you wait before releasing the exploit should depend on whether its known to the bad guys. Because the downside of releasing it is that lots of bad guys find out about it. If it takes less time to implement the exploit than to patch a protection, that's going to do more harm than good. I don't think it should be illegal, but it seems bad.

But you can't sit on it forever - for one thing, public release is like to spur the vendor to quicker action.

I agree that full disclosure

I agree that full disclosure is the "right" answer. However, IMHO disclosing flaws before informing the vendor or before most people would agree that the vendor has had sufficient time to prepare a fix and before most people (read: juries) would agree that the bad guys already have the information is a risky endeavor. It's a good way to be "right" while also losing a lawsuit or going to jail.

I second Matt's comment.

I second Matt's comment. Even if you are the first to discover it, the Bad Guys might discover it tomorrow while you're wrangling with the vendor.

The right time to disclose a

The right time to disclose a flaw is immediately. Always assume that if you're smart enough to find it, so is someone else. Call it the efficient hackers hypothesis.

Michael *did not* release

Michael *did not* release the details of the exploit - no script kiddies will be exploiting IOS because of his presentation. He only *demonstrated* the vulnerability, which, by the way, Cisco is claiming is not a vulnerability.

The debate about full disclosure has been going on for ages in the white hat hacker community, but this case has far more to do with Cisco being embaressed and having the money to bankrupt their detractors in court.

Ditto to eggrold. The

Ditto to eggrold. The exploit he demonstrated had also already been patched by Cisco before he demonstrated it. No harm was done here to anything by Cisco's ego.

Moreover, Lynn's work at ISS

Moreover, Lynn's work at ISS on this very subject had been assisted by Cisco for the preceeding several months. Up until about a week before the conference, the talk was going to be co-presented by Lynn and a Cisco employee.

You can see Lynn's slides here. The only stuff that could really be objectionable in them are various fragments of assembly code, easily obtainable by decompressing (essentially unzipping) the firmware image. Cisco now claims that this decompressing was illegal.

Thanks for the info, eggroid

Thanks for the info, eggroid and Phelps. I think we'll be seeing more stories like this in the future where companies use "intellectual property" and the DMCA to try to scare people into keeping quiet about things like this.