Recently I’ve been discussing how vulnerability discovery is more important than disclosure. And also how website owners are going to have to deal with the disclosure whether they like it or not. Scott Berinato’s (CSO), The Chilling Effect, just posted a very well-written article describing the current web security environment and where we’re heading. Definitely worth the read and RSnake has posted his comments.
From the experts:
Dr. Pascal Meunier (Professor, Purdue University)
“He ceased using disclosure as a teaching opportunity as well. Meunier wrote a five-point don't-ask-don't-tell plan he intended to give to cs390s students at the beginning of each semester. If they found a Web vulnerability, no matter how serious or threatening, Meunier wrote, he didn't want to hear about it.”
Rsnake (ha.ckers.org and sla.ckers.org)
“RSnake doesn't think responsible disclosure, even if it were somehow developed for Web vulnerabilities (and we've already seen how hard that will be, technically), can work.”
Jeremiah Grossman (CTO, WhiteHat Security)
"Logistically, there's no way to disclose this stuff to all the interested parties," Grossman says. "I used to think it was my moral professional duty to report every vulnerability, but it would take up my whole day."
Chris Wysopal (CTO, VeriCode)
“… responsible disclosure guidelines, ones he helped develop, "don't apply at all with Web vulnerabilities."
Jennifer Granick (Stanford's Center for Internet and Society)
“Granick would like to see a rule established that states it's not illegal to report truthful information about a website vulnerability, when that information is gleaned from taking the steps necessary to find the vulnerability, in other words, benevolently exploiting it.”