If you beat a dog long enough it won’t bark anymore. Never a recommended approach (to say the least). The same can be said of vulnerability reporting. More and more researchers are reticent to publish details of their findings. Now we see academics advising students to look the other way if they find a problem. Ouch.
Pascal Meunier, author of the Cassandra system, and a researcher at the Centre for Education and Research in Information and Assurance (CERIAS) at Purdue University, reckons it has become too risky to report security flaws in websites to their administrators. His opinion was formed after reporting a vulnerability in custom software on a production website discovered by one of his students.
The site was subsequently hacked, using a different vulnerability, leading police to treat him as a potential suspect. The student involved agreed to come forward, thereby diffusing the situation. But it could easily have been a different story that left Meunier with the ethical dilemma of disclosing the identity of his source under threat of putting his job at risk, because police tend to treat those reporting security holes as hackers.
How do we find the happy medium where legimate researchers can work without worrying about having their door kicked in?
[tags]Vulnerability, Security Research, Reporting Vulnerabilities[/tags]