I had an interesting discussion with my boss today around the issue of the vulnerabilities discovered (and made public) in some of Cisco's products. Note that my boss (who happens to be my cousin) and myself are enganged in the construction of a neo-scholastich computer-business morality school. The result is that some of our debates turn out to be reasonably complex.
The debate today was centered around the the morality of the action taken by Michael Lynn from ISS regarding the public release of the vulnerabilities he discovered in some of Cisco's routers. We have started the discussion considering what would be the appropriate course of action to be taken in a case like this. That is, if someone discovers a vulnerability in a hardware or software product, what is that person supposed to do?. We agreed that the correct thing to do would be to confidentially inform the manufacturer about the vulnerability. If the manufacturer gives clear guarantees that inmediate action will be taken, we would then favour to wait until the manufacturer publishes the corresponding patch. Once this is done we would then made the vulnerability public along with the solution.
In case the manufacturer is not ready to take inmediate action then we would procceed to make the vulnerability public. This has nothing to do with a desire to hurt anyone or take revenge. Note that Michael Lynn works for ISS, a company specialised in network security. A network security company has a (fiduciary?) duty towards its clients, and must inform them of any possible vulnerabilities in their systems.
Making the vulnerability public before informing the manufacturer could make more harm than good and as such the security company would not be complying with appropriate service standards towards its clients. But in case the manufacturer refuses to solve the issue, the only way possible to make them react is to publish the vulnerability.
A new problem then arises. Why should we (a network security company) do the dirty work for companies like Cisco or Microsoft?. At the end of the day they are not paying us to do the job for them. Well, it is not that clear. If, as a network security company, we charged our clients and also were paid from the manufacturers we would be running into a dangerous conflict of interest. We cannot serve two masters. We have to choose either the clients or the manufacturers.And this is at the core of the ISS-Cisco-Lynn issue.
Now, all this discussion has been built on the basis of the proprietary software sphere. It would all change in the world of free software ("free as in freedom not as in beer"). In the world of free software security vulnerabilities can be solved by anyone that has enough technical expertise and capailities. And this is so because everyone has access to the source code. Microsoft, for instance, does not allow access to its source code and as a result it is only them who can solve any issues that may arise. If Microsoft's products' source code were available to everyone then anyone with enough technical skills would be able to solve vulnerabilities that may arise.
In that case, and given Microsoft's security track record, a vast market in solving the company's products vulenrabilities would be created. This would benefit Microsoft as much as its clients, to the extent that there would be a legion of computer-experts investigating vulnerabilities and providing solutions. At the moment there are a legion of experts just investigating vulnerabilities and letting Microsoft know, so that this company solve them at its leisure.
Maybe this is another strong reason to support the idea of Microsoft liberating its source code. It would mean a real and present benefit for the company and its products, to the extent that a free market in "vulnerabilities and patches" would contribute to improve development and innovation. At the end the idea of "security through obscurity" does not pay, and is in fact one of the strongest arguments supporting free software.