Apparently Time Has Reversed – Not The Disclosure Debate Again?!?

Remember  back in 2001 when researchers were compared to Terrorists and the term “Information Anarchy” was coined?  You can read this blast from the past here –>

As the saying goes, those who do not learn from history are doomed to repeat it, or something like that we have this clueless blog post over on the Verizon Business Blog –>

The gem of this post is:

“Narcissistic Vulnerability Pimp: One who – solely for the purpose of self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure.”

Sigh.  Really?  One would think that a business with the word “Intelligence” in it would actually show some.  Meanwhile we all know that the “intelligence” is nothing more than a bunch of drones monitoring IPS logs and being yelled at when the technology they have pimped out does not actually detect a real world threat.  So instead of actually attempting to improve things it is much easier to point fingers, call names and attempt to blame researchers.

Researchers *DESERVE* credit for their finds because while they are causing short-term pain (short-term pain Verizon Business is able to invoice clients for) they are affecting long-term changes.  History has proven, when a vendor gets tired of being hammered by security issues that vendor starts taking security seriously and begins to improve.  Let us not forget that the majority of researchers do this FOR FREE, so giving them some resume fodder and recognition should not be such a big deal.

Verizon Business’ entire business model falls apart if it was not for these so-called “Narcissistic Vulnerability Pimps” giving your drones something to submit billable hours for.  Or how about the fact that Verizon Business themselves have and may very will still employ the exact people they are attempting to point fingers at.  I know for a fact that at one time (maybe still) a couple very high-profile “Pimps” were receiving paychecks from Verizon.

I am totally stealing this comment from Charlie Miller’s twitter ( but based on this blog post — Verizon Business are the whores that the vulnerability Pimps peddle to.  Given the choice of being a pimp or a whore I would pick pimp any day of the week, the wage is better, the benefits are better and who doesn’t like smacking a ho once in a while?

Lets back up a second and try to determine exactly what Verizon is complaining about.  I suppose they are trying to point out the difference between a researcher that follows responsible disclosure vs one that does not.  So why the silly name calling?  Why not just simply put it that way.  There are those that believe in responsible disclosure and there are those that do not.  Kind of simple isn’t it?  Oh wait, that does not make for a good blog post to generate some attention and traffic — much like this one.

While I am ranting about what is probably the most ass backwards blog post this year I might as well share my opinion on the whole disclosure thing and yes I do truly believe that this is beating a dead horse as there will never be an opinion that is completely correct.

There was a time, especially around the 2001 timeframe, when I believed that reporting a bug to a vendor, then giving said vendor a set amount of time (30 days in my case) to fix a vulnerability was the right thing to do.  After 30 days expires, release full details on the vulnerability and move on. 

Over the years, and as I began to work for various software and hardware vendors, my thoughts on this slighty changed putting me more in the responsible disclosure camp.  To me this means, you find a vulnerability, you report it to the vendor and you wait for the vendor to patch before releasing your independent advisory.  The severity, based on ease of exploitation and impact of exploitation, of the issue dictates how much information to release on the issue as the whole point is to actually help increase security.  The only caveat I have to this is that I also believe that if a vendor is refusing to patch an issue, not taking the issue seriously, or someone else finds the issue and uses it publically then all bets are off and it is better to simply drop all details so that those in the protection business have a level playing field. 

In fact, the only reason I am against the whole “No More Free Bugs” movement is because if you privatize and monetize the reporting of vulnerabilities, you remove the ability to hold a vendor truly accountable by having the ability to simply “drop zero day” on them to force a fix.  Once you enter in to contracts and start accepting money for vulnerabilities — you lose your ability to force change.  That said, a pimp needs to get paid.  😉

Anyways, this whole argument is stupid.  Full Disclosure works and in my opinion responsible disclosure is a safe compromise as long as the vendor is playing along.  Verizon Business is truly biting the hand that feeds them.


3 Responses to “Apparently Time Has Reversed – Not The Disclosure Debate Again?!?”

  1. MrDrunkNightRisin Says:


    I worked at Verizon and specifically, Verizon Business, and also have been a “full disclosure” pimp. Or whatever. And it was never for the “purpose of self-glorification and self-gratification”. Well. Only in the sense that doing what is right and hard to do is glorifying ultimately to one’s self, though one usually receives a ton of societal BS shame for doing so…

    Ultimately, the ethical reason for supporting full disclosure is a simple matter of considering all the angles. It is about forcing companies to get more secure in a world of horrendous threats that are inevitable but not yet exploited.

    There’s plenty of people who slander out there. There’s a word for that. Devil. D-E-V-I-L. These brilliant experts at condemnation can look it up for themselves.

    Personally, and for people I know, life isn’t about looking down one’s nose at anyone, regardless of how morally or intellectually challenged they may be.

    While that may give some shallow, self-righteous pleasure… ultimately, it is merely an attempt to persist in a very small world that is delusional. The real world is much larger then that. And sooner or later everyone knows those little worlds of delusion are going to burst.

    And that is so unpleasant we rightly term it: “the end of the world”.


    Finally, to state a point of defense here: this guy represents himself. I do not believe he represents all of the consultancy arm of VzB. He surely does not represent the people inside of VzB. VzB is ex-MCI Worldcom and a very complicated part of a very large company… that happens to be core to the global internet and telephony infrastructure. The consultancy arm is well thought of but generally very separate from this.

  2. MrDrunkNightRisin Says:

    And duly noted here, I agree with the precept of your post.

    While this is an intellectual quagmire for the self-righteous, for those who generally only focus their condemnation on bigots… it is well understood that such condemnations are very justified and right.

    Bigots… we can all universally condemn without the slightest tinge of self-righteousness that they so soak themselves in…

    A pernicious temptation in the security business if there ever was one, but one which primarily ***NOOBS*** fall sway to the most.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: