The long running debate over what responsible disclosure should look like has reignited once again after a German security firm flagged that a “crucial” new bug has been found in Windows and networking protocol Samba.
SerNet has been criticized for creating unnecessary publicity around the flaw, which it has named “Badlock.”
Some critics have argued that it is nothing short of a marketing ploy by the company, but one which is bad for the white hat community as it also gives hackers several weeks to research an exploit.
According to the firm, a patch will be available on 12 April, but it went public with the news to ensure admins were made aware of it.
“The main goal of this announcement is to give a heads up and to get you ready to patch all systems as fast as possible and have sysadmin resources available on the day the patch will be released. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process,” noted a statement on the site.
“Weighting to the respective interests of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available. Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.”
However, it is arguable just how much preparation administrators can actually do with no more information on the bug.
Even SerNet co-founder Johannes Loxen admitted the firm’s motives were partly commercially driven, in a now-deleted tweet: “A serious bug gets attention and marketing for us and our open source business is a side effect of course”.
The Badlock bug itself was discovered by Stefan Metzmacher, who is a Samba developer as well as a SerNet employee. There’s likely to be further criticism of the security firm if it turns out that the flawed code was written by him.
Some industry experts have backed the German security firm, however, with Veracode CTO, Chris Wysopal, claiming that anything which draws attention to the issue of application security is to be welcomed.
“I’d argue that the moniker ‘Heartbleed’ created so much buzz that it forced companies to evaluate their own exposure because Boards and senior management had heard of it and were asking,” he argued.
“Would the same be true if it were simply known as CVE-2014-0160? Of course, we don’t want to take this so far that the power of the naming gets oversaturated, like your favorite song on heavy radio rotation.”