Main Page | See live article | Alphabetical index

Full disclosure

Full disclosure is a philosophy of security management completely opposed to the principle of security through obscurity.

The issue of full disclosure is controversial, but not new: locksmiths were discussing full disclosure over a century ago.

Full disclosure of computer security problems

There are several overall questions of policy: When and to whom is disclosure made, and how much is disclosed.

Full disclosure is one approach, in which full details of the vulnerability are disclosed to the public, often through Bugtraq or similar means. This must include disclosure of the details of the vulnerability (including how to detect and exploit it). More controversially, it may also involve release of sample code or an executable tool to exploit the problem.

If there are no public exploitss for the problem, full and public disclosure should normally be preceded by disclosure of the vulnerability to the vendors or authors of the system. This will allow time for a security fix or workaround to be produced. This is one of the possible meanings of the term Responsible disclosure.

If a fix is not produced within a reasonable time, disclosure normally goes ahead regardless, although ISS were widely criticised for allowing under 8 hours before they disclosed details of a vulnerability in the Apache webserver.

Limited disclosure, with full details going to a restricted community of developers and vendors, and only the existence the problem being released to the public, is another possible approach. Advocates of this approach also claim the term "Responsible disclosure".

The controversy over full disclosure is easy to understand. The disadvantage of making available a cracking tool, or details of how to exploit a vulnerability, is that blackhats and script kiddies will get their hands on them, and more systems will be attacked. The advantage of disclosure is that whitehats will obtain the information, and that the vulnerability will be detected and patched more quickly.

Full disclosure came to life after it became clear that the method employed by CERT didn't work out as intended. Vulnerabilities were reported to the companies that made the software, which sometimes asked for more and more time to fix the problems. In some cases it is rumored to have taken years before a patch was issued. In the meantime, the vulnerabilities were actively exploited by crackerss. The tendency by software companies to ignore warnings and rely on crackers' ignorance of the problem became known as security through obscurity.

To address the controversy of disclosing harmful information to the general Internet community, including blackhats, Rain Forest Puppy developed the RFPolicy, which is an attempt to create a proper way to alert vendors to security problems in their products, and establish guidelines on what to do if the vendor fails to respond.

There was a movement against full disclosure named Anti Security. (Does it still exist?)

future expansion of article should mention:

See also: Full Disclosure Debate Bibliography - By Date " class="external">