The ethics of vulnerability disclosure

Badlock, a newly publicised vulnerability is making the rounds with a catch…the patch is not available for another 3 weeks. However, marketing hype is already doing the rounds.

What makes this vulnerability big is the hint that it affects SMB used in SAMBA/Windows File sharing and as SAMBA is open source, vulnerability researchers good and bad will be scrambling through the code.

How, given the wide spread reach of the vulnerability, the hype is not called for. Three weeks in information security land is a lot of time and the wide spread use of SMB means organisations could be sitting ducks.

People that wield power must act sensibly, if you know something that could affect a lot of people use power with discretion, report vulnerabilities to vendors and ensure that a working fix is applied by customers before causing mass mayhem. Defenders already have a hard time keeping people out, we shouldn’t be fighting amongst ourselves.

As always, opinions welcome. Thanks to Steve Regan (@SteveD3) for exposing this.


Cross published on Peerlyst:


edit: 24/3: typo


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s