Was Cigital security warning too hasty?

Security experts gave mixed reviews Thursday to the way in which a software-reliability company disclosed a bug in Microsoft"s newest tools for building applications for its .Net framework and Windows operating system.

Late Wednesday, Dulles, Va.-based Cigital told The Wall Street Journal of a flaw in Microsoft"s latest tools for creating Windows and .Net programs after giving the software giant a little more than 12 hours to respond.

Some security experts criticized the quick public announcement as irresponsible.

"There is no way that Microsoft could fix this in a day," said Al Huger, vice president of engineering for vulnerability-information company SecurityFocus. "Full disclosure has to be coupled with responsible disclosure."

The issue reopens a debate on how to responsibly disclose information about security vulnerabilities. Thoughts on disclosure range between two extremes: those who believe that every detail of a potential security threat should be publicized as soon as possible, and others who believe that no details of any security flaw should ever be published.

Mainstream security experts typically believe that the creator of a flawed piece of software should first be notified and, depending on the seriousness of the flaw, allowed a certain amount of time to create a patch to fix the problem.

News source: News.com

Report a problem with article
Next Article

Biromsoft Calculator 2.05

Previous Article

Active Network Monitor 1.0 Beta 2