[This was originally published on the OSVDB blog.]
ZDnet Asia had an article recentl, titled “Bug hunters, software firms in uneasy alliance” which brought up the age old full disclosure (or ‘responsible’ disclosure) debate. This prompted a slashdot thread with various comments.
My favorite pop tart, Mary Ann Davidson (chief security officer at Oracle) managed to get quoted again. As usual, she still seems to have this serious disconnect between “responsible disclosure” and “responsible patching”. Let me quote a small portion of the article, see if it jumps out at you too.
Mary Ann Davidson, chief security officer at Oracle, sees security researchers who threaten vendors with disclosure of bugs as a problem, she wrote in a recent perspective piece on News.com. “The reality is that most vendors are trying to do better in vulnerability handling. Most don’t need threats to do so,” Davidson said.
Alexander Kornbrust specializes in security of Oracle products. He went public with details on six security vulnerabilities in Oracle software in July, about two years after he reported the bugs to the software maker and fixes still had not been provided.
Oracle chided Kornbrust as irresponsible for disclosing the data.
These vulnerabilities were disclosed to Oracle on 2003-07-31 and disclosed to the public on 2005-07-19. Three of them were Cross-Site Scripting (XSS), considered by most to be trivial to patch. Who is irresponsible here?