July 03, 2024

On disclosing vulnerabilities

Nicolas Carlini wrote about why he attacks, his motivation for security research, and his work over time in different systems -- web, browser, ML and more. The part that stood out was how he handles disclosing vulnerabilities.

All security vulnerabilities lie on a spectrum of how hard they are to resolve. On one end, there are vulnerabilities that are easily patched, and on the other side, are those that are not.

vulnerability-spectrum

A vulnerability is patchable if the people who built the system can fix it, and in fixing it, can prevent the exploitation of the system.

for vulnerabilities like this, it makes complete sense to give the developers time to fix the vulnerability before going public.

A vulnerability is basically unpatchable if there's nothing that you can do to prevent its exploitation. The most extreme example of this would be an exploit on one of the foundational cryptographic primitives that we take for granted, like AES or RSA.

for vulnerabilities like this, it makes sense to go public immediately. Because basically all of the damage that can be cause already has been: waiting to disclose is only going to mean more people will become impacted as they use the vulnerable system. Sure you might want to find the most high profile targets to disclose to and give a heads up, but it's important to go public quickly.

Its a case of an instance of a vulnerability vs a class of vulnerabilities. An instance can be patched and should rightfully be disclosed to the developers and given time to patch. Where as a class of vulnerabilities exist due to a fundamental design flaw and cannot be patched. It's important to disclose these as soon as possible because the damage has already been done and waiting will only cause more harm.

Are there other ways to look at this? What do you think?