In this article at The Register, a point is raised; is it even worth disclosing vulnerabilities, considering the ramifications?
In the cryptographic community, disclosure is mortar; it is responsible for the stability of research in the field. Good, secure cryptographic design is a product of the cryptanalytical aptitude that was built before it. Simply put, this means that cryptography, in general, has been successful, due to the fact that cryptanalysts are able to publish results. These results may include practical attacks on applied cryptographic systems, which leads me to wonder – could a cryptanalyst face legal woes in the event of disclosing a cryptographic weakness with the context of this issue at hand? Probably; it’s contextual.
Over the decades, the reason we’ve built progressively better cryptography is because of cryptanalytical results published by fellow cryptographers; younger, maturing cryptographers, such as myself, look to these past results as our foundation. Recognizing and disclosing insecurity is essential for the rethinking and designing of security.
There are nooks and crannies to the disclosure debate that have been investigated over the years, but when all is said and done, disclosure, in general, is a necessity. Errors resulting in insecurity are inevitable, but they cannot be shrugged off as a matter of course, then pushed to the side. Correctness and security are both crucial.
As humans, we have an unspoken duty of defending our basic human rights. If there was a bill of security rights, disclosure would be on there, without a doubt; it would likely be the first. As security folks, the ethical thing to do is uphold the very core of our field – the ability to publish analysis – yet we’re faced with opposition for doing so. We’re starting to see where the boundaries lie. Unfortunately, this suppresses full disclosure by giving less of an incentive for upholding it.
I’m curious as to what other folks in the field have had to endure. So, folks?