A call for Internet security disclosure guidelines

On July 13 a new worm launched that had the potential to become the biggest threat in Internet history. This worm, named Code Red, infected approximately 300,000 Microsoft Internet Information Servers and then, for good measure, took aim at the White House Web site in a denial-of-service attack on July 20. When this article was written, it appeared some malicious individual or group would relaunch Code Red.

Code Red is the latest example of a malicious-code threat that has been fueled by those who might normally try to contain it. The issue in the information security industry is full disclosure vs. responsible disclosure of these threats. Security companies that practice full disclosure believe releasing information about new software vulnerabilities should be immediate and comprehensive, regardless of the consequences. Those who practice responsible disclosure believe releasing all information to the media immediately is foolhardy and outright hazardous to Internet health.

In practicing full disclosure, the discovering security company informs the software vendor that it has found vulnerabilities that will cause headaches for, or harm to, the product’s users. After giving the vendor time to create a patch, the discovering company informs the press that it has found the flaw and knows how to protect companies from the vulnerability.

Sometimes, the security company also provides a detailed explanation of how to create what it calls a useful exploit, including code. Usually, shortly after the useful exploit is made public, a worm or virus will propagate based on this code. This was the genesis for Code Red.

The problems with full disclosure are not confined to the ammunition it provides hackers. By feeding the media a security threat story before the threat can be effectively gauged, security vendors have created a “cry wolf” scenario. In the case of Code Red, responsible and comprehensive reporting by the media was warranted due to the potential for widespread damage. But due to the sensationalizing of past security threats by security companies, the media could not report on potential alone, but instead had to wait until hundreds of thousands of companies were infected.

I am calling for disclosure guidelines that would provide a benchmark for how organizations are expected to behave regarding malicious code threats. Called responsible disclosure, these guidelines would provide a code of ethics and enforcement to dissuade anyone who would seek to profit from irresponsible disclosure of security issues, be they media, a computer security product vendor or an individual.

A new body based on these principles, the Responsible Disclosure Forum, would bring together many of the world’s leading security professionals to educate the public about security threats. If the forum is effective at promoting its ethics, it is hoped that more individuals would understand that placing the Internet at risk is not something to be done trivially. We can provide a conduit for research and development of the Internet without continuing to leave it at risk of annihilation in the process.

Cooper is surgeon general of TruSecure (www. trusecure.com) and editor of NTBugtraq. He can be reached at rcooper@trusecure.com.