Full disclosure (computer security)

Full disclosure is a controversial subject when thinking about computer security. It basically means that if you discover a security vulnerability in some software, you should report it publically. If you find that someone has cracked your computer, and find non-previously discovered cracking tools - you should make them publically available, preferrably through Bugtraq.

The controversy is easy to spot. Making a cracking tool publically available means that blackhats and Script Kiddies will get their hands on them. It also means that whitehats will get their hands on them, and that the vulnerability WILL get patched, and fast. It is often looked upon as good practice to give a vendor prior warning if the bug is not being exploited in the wild - so that they may have a patch ready at the time of disclosure. This, however, does not apply if the vulnerability is actively exploited, for example if you find an exploit on a cracked system you administer.

Full disclosure came to life after it became clear that the method employed by CERT didn't work out as intended. Vulnerabilities was reported to the companies that made software, which in term asked for more time to fix the problems. In some cases it is rumored to have taken years before a patch was issued. In the meantime, the vulnerabilities were actively exploited by crackers. The tendency by software companies to ignore warnings became known as security through obscurity.

To address the controversy of disclosing harmful information to the general Internet community, including blackhats, Rain Forest Puppy developed the RFPolicy, which is an attempt to create proper way to alert vendors to security problems in their products, and what to do when the vendor fails to respond.

It appeared a movement against full disclosure named Anti Security.

future expansion of article should mention:

See also:

• Secure coding practice
• Cracking
• hacking