[This was originally published on the OSVDB blog and re-published on the Sydney Morning Herald.]
Security advisories are a form of advertising. First and foremost, they are used to promote the technical capability of a security company and showcase the talent. If a researcher or company was completely altruistic, they would not release an advisory and would not care about credit if the vendor released an advisory. Releasing vulnerability information has been used as a form of marketing for over a decade, and it works for everyone. The company releasing the information gets free press, the security community gets vulnerability information in return. In recent years, many companies have relied on it for getting started and attracting their initial customer base.
With the full vs responsible disclosure debate a constant shroud hanging over security companies, they must be careful not to scare away potential customers by giving the impression that they don’t care about security or the repercussions of their disclosure. As such, many companies have taken a very strong stance on responsible disclosure, some arguably taking it too far.
One example of this strong stance is NGSSoftware who began withholding details of vulnerabilities for 90 days, in order for administrators to have plenty of time to patch the vulnerability. This is a good thing overall, and NGSS has set a good example showing that security companies can help the community while protecting them just the same. Of course, NGSS should make sure to release those details after 90 days, something they don’t always do in a timely fashion. An example of NGSS’ policy can be seen in their recent post to Full-Disclosure as well as their immediate followup. While vague, it does tell us that multiple vulnerabilities were found, what software they were found in, and what types of vulnerabilities they are. These correspond to information provided in the Oracle security bulletin and serve as a warning to the severity/importance of the vendor patch.
A few weeks ago, Integrigy Corporation took it too far in my opinion. In a posting to Full-Disclosure titled Vulnerabilities in Oracle E-Business Suite 11i – Critical Patch Update October 2005, they provided a four page summary of .. no vulnerability disclosure. The bulk of the post was to point out they had released analysis of the Oracle patches and what it could mean for customers. While this information is helpful, it is NOT disclosing a vulnerability in any fashion. The only thing resembling disclosure was the ‘credit’ section which states:
Some of the vulnerabilities fixed in the Critical Patch Update October 2005 were discovered and reported to Oracle by Stephen Kost of Integrigy Corporation.
This isn’t disclosing a vulnerability, and should not be posted to a list centered around full disclosure. The company name “Integrigy” appears 14 times in the post, and their company URL 3 times. They mention their products AppSentry and AppDefend a total of four times.
Argue all you want, but this is blatant advertisement, not a security advisory.