In late March we mentioned that Sybase were making threats against a security company about disclosure of security flaws they found in Sybase code and a French company that took a security researcher to court and had him fined 5000 Euro. Going from this Register story, it looks like Sybase and NGSSoftware are going to settle their dispute amicably, but it really does bring into view a point that many in the Open Source community have been trying to make known for ages.
It seems that most Commercial companies would very much prefer it if you only gave them security flaw research and didn’t reveal it publicly at all, but the problem with that is there is nothing in it for the security companies if they do this. The current standard procedure appears to be to tell the software vendor first, then wait for a predetermined period before publicly releasing your findings. By adopting such a stance, the vendor is forced to quickly patch the flaws and roll the patches out to their users, which can only be a good thing right? Well not all vendors are happy about the pressure on themselves and on their users (to install the patches), and legal proceedings are a good way (in their minds at least) to stop bug disclosure. The problem with making things difficult for security researchers to do their jobs, is that if you succeed, you have a situation where only malicious crackers (black hats) are actively looking for security flaws and the vendor has no way of knowing what they find until after it has been used against one of their customers. All of this makes you wonder how many flaws have been found in commercial software that we simply don’t know about because of actions like those above.
Contrast that with Open Source software, like Linux, Apache and Firefox where not only is the source code of the relevant applications freely available to anyone that wants it, but the creators actively encourage users and developers to find and report bugs in the software so that they can be fixed and the software improved as a result. In fact the Mozilla Foundation actually pays people to find security flaws in it’s software with the goal of making the software as secure and bug free as it can possibly be. Now you decide if you will believe past claims by old school commercial software companies (you know who you are) that having the source code openly available is a bad thing for security.