Full disclosure of computer security vulnerabilities: an examination of the debate

Abstract

BugTraq, a popular mailing list now hosted by securityfocus.com, was founded in 1993 to provide a forum for open publication of computer and network security vulnerabilities. Due primarily to the rapid pace of software development and the proliferation of the Internet, there has been a shift away from keeping computer security vulnerabilities private. Prior to such mailing lists as BugTraq, information on computer and network security vulnerabilities remained in the hands of a few, primarily computer security researchers and the underground criminal element. Retaliation to this form of private information has led many working in computer security to adopt what has become known as full disclosure. The practice of publicly disclosing computer security vulnerabilities has led to a heated debate, as there are both positive and negative consequences of releasing such information to the masses. The goal of this distinction project is to determine the attitudes that those in the computer security community currently hold regarding issues surrounding full disclosure. Two hypotheses are tested. First, a majority of those in the computer security field support the full disclosure model of disseminating vulnerability information and second, attitudes on the full disclosure debate will vary across participation in different computer security circles. In order to test these hypotheses, opinions from users of full disclosure information and computer security practitioners were solicited through use of an on-line survey. Survey links were distributed through the FBI-coordinated computer security organization, InfraGard, the Information Systems Security Association, and the popular full disclosure mailing list, BugTraq.