Bug Hunters and Their ‘Responsible Disclosures’

The software industry has long been issuing vulnerability disclosures. The efforts for "responsible disclosures" have made their impact, but researchers of software security keep the process under control, said Window Snyder, security chief of Mozilla in a statement to press that Zdnetindia published on March 26, 2007.

Release of vulnerability details has been considered hot topics. Responsible disclosure of vulnerabilities involves the practice of software industry's encouragement to privately disclose a bug and then repair it before the researcher comes out in the open. The private disclosure is termed responsible because while someone knows the bug privately and works on its fix the cyber criminals don't get to know it in order to exploit it. On the other hand vendors also perform responsibly by responding to what they receive as bug reports, said Snyder.

But Airtel means differently saying that bug hunters should sell rather than disclose vulnerability information to vendors. Security Software Company, Immunity buys security vulnerabilities from bug hunters to use that in the company's products such as penetration testing products that can help to invade computers and networks.

However, Chris Wysopal, CTO and founder of security review company Veracode disagrees that bug hunters are always responsible.

Currently more than 400 world enterprises related to insurance, financial services, government, manufacturing, services, and energy industries engage security firms to monitor and better the security of their company computers and network. Ecommercetimes published this on March 30, 2007. These security firms protect the personal identifiable information of their clients, involving names, addresses, passwords, Social Security numbers, and credit card numbers that hackers remain on the lookout.

Today every company is security conscious but they do not all buy into "responsible disclosure". Software makers have turned it into a trap, according to Dave Aitel of Immunity. A marketing term, "responsible disclosure" is under big vendors' control like Microsoft.

The corporate world is most concerned with data security. Therefore forums, summits and related organizations like the Organization of Unstoppable CTO Hackers (OUCH) are formed to spread awareness about hackers' activities and the techniques they use. Such initiatives provide valuable lessons about all aspects of data security.

Related article: Bugs Swell In Browsers in 2006

» SPAMfighter News - 4/4/2007