Full disclosure

Full disclosure is a controversial subject when thinking about computer security. It basically means that if you discover a security vulnerability in some software, you should report it publically. If you find that someone has cracked your computer, and find non-previously discovered cracking tools - you should make them publically available, preferrably through Bugtraq.

The controversy is easy to spot. Making a cracking tool publically available means that blackhats? will get their hands on them. It also means that |whitehats? will get their hands on them, and that the vulnerability WILL get patched, and fast. It is often looked upon as good practice to give a vendor prior warning if the bug is not beeing exploited in the wild - so that they may have a patch ready at the time of disclosure. This, however, does not apply if the vulnerability is actively exploited, for example if you find an exploit on a cracked system you administer.

Full disclosure came to life after it became clear that the method employed by CERT didn't work out as intended. Vulnerabilities was reported to the companies that made software, which in term asked for more time to fix the problems. In some cases it is rumored to have taken years before a patch was issued. In the meantime, the vulnerabilities were actively exploited by crackers. The tendency by software companies to ignore warnings became known as security through obscurity.

future expansion of article should mention:

• rain forrest puppy's policy
• history of full disclosure
• elias levy, and the article "smashing the stack for fun and profit"
• much more

See also:

• Secure coding practice
• Cracking
• hacking