What are responsible vulnerability disclosure and remediation practices? I broke the problem into a bunch of different viewpoints when I did the Black Hat thing. If you take a look at the exploiter's view of the world, what motivates them? Fame, fortune, curiosity and creativity. They want attention, they want money. If you look at the ethical researchers' world, they are motivated by the same things. The differentiator is what they do with the information. So as the CISO of a large company, don't I want things to be discovered? Absolutely, because I want to make sure vulnerabilities are plugged. I want people to be rewarded for the work they have done. If they are not rewarded on the clean side, they'll be rewarded on the dirty side.
How should bugs be disclosed? Suppose there's a vulnerability in some platform and you go tell the world about it. Some researchers would say that's exactly what you should [do], because otherwise the vendor won't address it. I say, "You are telling people how I can be compromised, and that's a big problem." [On the other hand], you discover something and you tell vendor XYZ that there's a vulnerability in their product and they do nothing for 200 days. We haven't created between the vendor, the ethical researcher and the business consumer an environment that we can all benefit from. It is doable, but I'm not sure anybody is really taking on that challenge.
How should vendors respond to vulnerabilities found in their products? In an ideal world, there wouldn't be any vulnerabilities and they wouldn't have to disclose anything. But that is not the real world. Really critical vulnerabilities must be plugged immediately. On the other hand, what is critical? I think what you are seeing in the industry today is that most of the vendors are trying to be very conservative in their ratings of vulnerabilities. What they are really trying to do is limit the exposure that gets generated from them having had a vulnerability.
What is the ideal vendor response? It's very context-dependent. In my position, of course, I'd like to know everything [relating to a vulnerability]. But is that reasonable? I think enough information should be released so that people can make a reasonable assessment of how vulnerable they are. But we don't want to provide information that helps unethical people compromise systems before issues can be addressed.
How do you respond to disclosure of bugs? We don't continuously want to have our environment in turmoil from being forced to constantly patch and patch in rapid fashion without having the ability to validate that these patches are not going to hurt us. We need to have time to do due diligence.