Internet Security Systems - AlertCon(TM)

When can alerting the public about exploitation do more harm than good?

Posted by Tom Cross on July 15, 2011 at 12:22 PM EDT.

Holly Stewart from the Microsoft Malware Protection Center presented with me at the FIRST Conference in Vienna, Austria a few weeks ago on the subject of when to alert the public that a vulnerability is being exploited.

Lots of ink has been spilled on the ethics and timing of vulnerability disclosure but there hasn't been a lot of discussion about when to disclose that a vulnerability is being exploited. Many people assume that it makes sense to alert the public immediately, whenever exploitation is detected. Holly thought that the reality might be more complicated than that, and as we started to look at some real world cases it turned out to be an interesting question.

In our presentation we attempted to define a framework that explains when disclosure is helpful to the community and when it can do harm by attracting attackers to an opportunity without arming defenders with actionable information. You can download our slides here. We plan to continue to investigate this question in the future and of course we're always interested in your feedback. 

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.