Tuesday, August 22, 2006

Censorship and Common Sense in Security

Recently I posted a vulnerability to bugtraq@securityfocus.com which is a public board for the open discussion of security issues. I reposted the message a week later and again a few days after that. Finally several days later I received an email saying that the moderator hasn't taken action on my post. I finally resolved to notify a moderator only to find out that there are many and their information is not readily apparent even in the "you've been rejected" email. So I posted a message that was sure to get a reaction. The response came in less than 2 minutes. This is a far cry from the previous posts that took more than 24 hours to be included.

So now that I had their attention the moderator began debating. He argued that confidentiality / privacy issues were not "security" related issues and didn't belong on the board. I was stunned. I reminded the moderator that the basic tennets of security are CIA (Confidentiality, Integrity, Availability). The moderator then responded with a two page rant about why Firefox wasn't mandated to provide confidentiality or integrity.

I am concerned about the state of flaw disclosure in the computer security world. It appears that moderators favor some products and post the most inconsequential flaws for other programs. It seems a priviledged few companies get off easy while others get hammered.

I'm all for the little guy and I love Firefox which is why I hoped that publishing this vulnerability would help get it fixed more quickly. I hope that in the future, security discussion boards will post "equal opportunity" flaws. By so doing Bugtraq can help improve all products rather than to hide exploitable vulnerabilities for certain favored vendors.

David Cross