Full disclosure

related topics
{law, state, case}
{system, computer, user}
{theory, work, human}
{day, year, event}
{math, number, function}
{company, market, business}
{work, book, publish}
{@card@, make, design}

In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity. The concept of full disclosure is controversial, but not new; it has been an issue for locksmiths since the 19th century.



Full disclosure requires[citation needed] that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it. The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. Fixes are produced faster because vendors and authors are forced to respond in order to protect their system from potential attacks as well as to protect their own image. Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced.

In the realm of computer vulnerabilities, disclosure is often achieved via mailing lists such as a Full-Disclosure mailing list and by other means.

Various interpretations

Even among those who believe in disclosure there are differing policies about when, to whom, and how much to disclose.

Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. This philosophy is sometimes called responsible disclosure.

In the case that a vendor is notified and a fix is not produced within a reasonable time, disclosure is generally made to the public. Opinions differ on what constitutes a reasonable time[citation needed]. Fourteen to thirty days is typical, although the period could be a matter of hours.[citation needed] Internet Security Systems was widely criticized for allowing less than eight hours before disclosing details of a vulnerability in the Apache HTTP Server.[citation needed]

Limited disclosure, is an alternative approach where full details of the vulnerability are provided to a restricted community of developers and vendors while the public is only informed of a potential security issue. Advocates of this approach also claim the term "responsible disclosure".[citation needed]

Full article ▸

related documents
Regulation of Investigatory Powers Act 2000
Practice of law
McCulloch v. Maryland
Section 508 Amendment to the Rehabilitation Act of 1973
Civil liberties
Electric chair
Possession (law)
International Criminal Tribunal for the former Yugoslavia
Riot Act
Procedural law
Asylum and Immigration Tribunal
Ninth Amendment to the United States Constitution
Dispute resolution
Inquest (England and Wales)
Louis Freeh
Prosecutor's fallacy
Proximate cause
Byron White
Star Chamber
Penet remailer