Responsible disclosure is a two-way street

Today I met with a disgruntled security expert. He works for a company that is paid to find holes in IT systems.

The problem he’s been facing recently is one of responsible disclosure. Responsible disclosure means that the researcher is unable to publish the findings of his or her work until the company whose software is flawed has produced a patch. It can take months, if not years, before a researcher is allowed to publish the fact that he or she discovered a bug. The security hole needs to be confirmed, the researcher needs to develop sample exploits and these need to be tested by the company making the effected software.

The software company must also decide if and when to release a patch. The problem is that due to the nature of responsible disclosure, a security expert finding a bug may actually find someone else claims credit for discovering the security hole.

Now, along with receiving acknowledgement for being the first person to discover the vulnerability, there is the intangible benefit that comes with recognition – the publicity and potential to win new business. The security researcher I spoke to estimated this could easily be worth £80,000 per bug.

We rely on such people to discover potentially dangerous holes in the software we use. The IT industry has a responsibility to ensure they are rightly credited for their efforts. Otherwise, why would they continue to abide by the rules of responsible disclosure?