Vulnerability Responsible Disclosure refers to the best practice followed by most security researchers of not disclosing a critical vulnerability in a software product until a vendor patch or fix has been made readily available.
The reason that the security analysts and researchers aren’t able to share the information publicly is that hackers and cyber criminals are often much faster to attack and exploit the vulnerability announced than vendors can produce a patch, and customers can deploy that patch to provide protection to themselves and their networks, data, and systems. That is why this is called Responsible Disclosure and is considered a best practice though no laws exist to compel security researchers to follow this.
FULL DISCLOSURE – WHY IT’S NOT IDEAL
Occasionally a security researcher may discover a flaw in your app or systems. This leaves the researcher responsible for reporting the vulnerability. In most cases, an ethical hacker will privately report the breach to your team and allow your team a reasonable timeframe to fix the issue. In some cases, they may publicize the exploit to alert directly to the public.
Disclosing a vulnerability to the public is known as full disclosure, and there are different reasons why a security researcher may go about this path. A security researcher may disclose a vulnerability if:
- They are unable to get in contact with the company.
- Their vulnerability report was ignored (no reply or unhelpful response).
- Their vulnerability report was not fixed.
- They felt notifying the public would prompt a fix.
- They are afraid of legal prosecution.
While not a common occurrence, full disclosure can put pressure on your development team and PR department, especially if the hacker hasn’t first informed your company. These scenarios can lead to negative press and a scramble to fix the vulnerability.
IS FULL DISCLOSURE MORALLY SOUND?
If a finder has done everything possible to alert an organization of a vulnerability and been unsuccessful, Full Disclosure is the option of last resort. Some security experts believe full disclosure is a proactive security measure. Their argument is that the public scrutiny it generates is the most reliable way to help build security awareness. Others believe it is a careless technique that exposes the flaw to other potential hackers. Regardless of which way you stand, getting hacked is a situation that is worth protecting against.
At times, the organization receiving the disclosure may not act appropriately. They may take the disclosure negatively and you end being sued depending on the laws of your country. That’s why we always suggest involving a lawyer before doing the disclosure.