Three Cheers for Disclosure

A funny thing's been happening on the security mailing lists lately, and it's got me shaking my head.

Next Generation Security Software (NGSSoftware), has been publishing vulnerability alerts for a couple of years now. It's most notorious for a July 2002 demonstration of the vulnerability in the Microsoft SQL Monitor protocol, a protocol used by SQL servers to discover other SQL servers on the network. That vulnerability, although patched at the time of disclosure, resulted in the SQL Slammer/Sapphire worm in January 2003, considered to be the fastest-spreading worm ever.

After being broadly chastised, NGSSoftware took the position that the details of its discoveries should be held for a period of time after the Microsoft patch was released. Until Slammer, the position was simply to ensure Microsoft had released a patch prior to disclosure.

I'm not trying to rehash the old disclosure debate; there are many people who support the entire spectrum of choices regarding disclosure, from immediate and full to none at all. Instead I'm shaking my head at the number of people who now seem confused over NGSSoftware's decision to publish details 90 days after a patch's release.

A spate of detailed disclosures regarding vulnerabilities patched last fall have been hitting the security mailing lists. They provide far more details than Microsoft had supplied in its respective Security Bulletins, and help security folks who feel they need such details. Still, I've been receiving numerous responses from mailing list subscribers that these vulnerability notices are simply advertising for NGSSoftware.

Well, of course they're advertising! That's been part of vulnerability notices for many years now. But it's unfair to label them as only advertising, since they are providing the extra, detailed knowledge so many seem to feel they need. I presume they need these details to write their own intrusion detection/prevention system (IDS/IPS) signatures for attacks that may be based on the vulnerability, or they want to craft their own exploit code to perform vulnerability scans on their systems. At least that's historically what people say they need those details for. I've yet to see a single response from anyone applauding NGSSoftware for releasing these details.

All this makes me wonder just how necessary they really are. I'm not saying they shouldn't be released, but I am wondering who's using these details, if not the myriad security professionals on the security mailing lists.

I believe the vast majority rely on others to absorb the details and transform them into something usable like a new IDS/IPS signature, a test for a vulnerability scanner or a new best practice; most don't actually need these details.

This is how the anti-virus industry works. For the most part, companies keep quiet about the details of the hundreds of new viruses reported every week, except among those in the industry who create the antivirus programs used by consumers. If there's a soft underbelly of the security industry, it's the disclosure of proof-of-concept code to millions who generally either aren't technically savvy enough to do anything with it other than run it, or wouldn't run it even if they could, for fear of the ramifications such a program might have on their production environment.

I applaud NGSSoftware's disclosure position, and hope it's emulated more often.

Russ Cooper is a Senior Information Security Analyst with Cybertrust, Inc., He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most- recognized security experts, he's often quoted by major media outlets on security issues.

Russ Cooper's Security Watch column appears every Monday in the Redmond magazine/ENT Security Watch e-mail newsletter. Click here to subscribe.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.


  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

  • Datacenters in Space: OrbitsEdge Partners with HPE

    A Florida-based startup is partnering with Hewlett Packard Enterprise in a deal that gives new meaning to the "edge" in edge computing.

  • Windows 10 Hyper-V vs. Windows Server Hyper-V: Which Platform for Which Workloads?

    The differences between these two Hyper-V versions are pretty significant, depending on what you plan to use them for. Here's a quick rundown of each platform, from their features to licensing quirks to intended use cases.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.