Russian IT security veteran plans to publish undisclosed security flaws live on a zero-day basis

In an interview with US security journalist Brian Krebs, Legerov said he plans to release flaws in a variety of packages that is likely to include Zeus and Sun's web server software, IBM DB2, Lotus Domino and Informix' directory server applications, including Novell, Sun and Tivoli directory.

In his interview with Krebs, Legerov said that, after working with vendors long enough, "we've come to (the) conclusion that, to put it simply, it is a waste of time".

According to the IT security researcher, he and his team no longer intend to contact vendors about security flaws, and no longer support the industry's 'responsible disclosure' policy.

Legerov's comments have drawn criticism from a wide range of security professionals, in particular Graham Cluley, senior technology consultant with Sophos, who said he can understand Legerov's frustration, but thinks it is wrong to release information about unpatched vulnerabilities.

According to Cluley, this approach may inevitably lead to innocent computer users finding their systems compromised by hackers exploiting the zero-day vulnerabilities before a patch is available.

"What I think Legerov has failed to realise is that there is another way to get vulnerabilities fixed, whilst still behaving responsibly", Cluley said in an overnight blog posting.

"If a software vendor has failed to respond in an appropriate time to a vulnerability that exists in its shipping code then you don't have to go public with details of the security hole. Instead, you could use the power of the media to your advantage", Cluley said.

Cluley argues that, rather than posting detailed specifics of how to exploit the vulnerability on the internet, researchers can work with a friendly journalist and demonstrate the security hole but without giving away details of the modus operandi.

The researcher, Cluley explained, can then rant as loud and long as they like about how frustrated s/he is with the software vendor.

It will, says Cluley, make a great news story, and that will pressure the vendor to take the necessary steps.

"Irresponsibly disclosing details of vulnerabilities is effectively putting a gun against the head of a software vendor, but risks shooting innocent users too", Cluley said.

"If you've found a serious vulnerability then a security journalist will be happy to discuss it, publicise it with their readers, and put pressure on the vendor to take appropriate action", Sophos' Cluley added.


What’s hot on Infosecurity Magazine?