In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity. The concept of full disclosure is controversial, but not new; it has been an issue for locksmiths since the 19th century.
Full disclosure requires that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it. The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. Fixes are produced faster because vendors and authors are forced to respond in order to protect their system from potential attacks as well as to protect their own image. Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced.
In the realm of computer vulnerabilities, disclosure is often achieved via mailing lists such as a Full-Disclosure mailing list and by other means.
Even among those who believe in disclosure there are differing policies about when, to whom, and how much to disclose.
Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. This philosophy is sometimes called responsible disclosure.
In the case that a vendor is notified and a fix is not produced within a reasonable time, disclosure is generally made to the public. Opinions differ on what constitutes a reasonable time. Fourteen to thirty days is typical, although the period could be a matter of hours. Internet Security Systems was widely criticized for allowing less than eight hours before disclosing details of a vulnerability in the Apache HTTP Server.
Limited disclosure, is an alternative approach where full details of the vulnerability are provided to a restricted community of developers and vendors while the public is only informed of a potential security issue. Advocates of this approach also claim the term "responsible disclosure".
Full article ▸