Monday, August 03, 2009

Extortion or Responsible Disclosure?

I was just reading an article in Wired - "Electronic High-Security Locks Easily Defeated at DefCon".

A quote from the article:
The lock makers say they can’t respond to the issues Tobias is raising until he tells them exactly how his attacks work. But before he’s willing to give them the details, Tobias has insisted the makers agree to fix the vulnerable locks retroactively with no cost to customers who have already purchased them. Something they refuse.

It got me thinking - I've never heard of anyone doing this in the software world. For those who just have a website, I suppose this kind of threat isn't too big a deal. Most reasonable software vendors provide patching on an ongoing basis, but for those who don't, is anyone aware of any cases like this? A researcher requiring the vendor to promise to fix the product before they disclose the defect?

1 comment:

Laksh said...

The cost of fixing stuff in the hardware world is high. We see so many product recalls for safety reasons - some caused by software as well - like the Toyota Prius recall. I guess we need some federal laws to enforce cost-free (for consumers) products recall/repair for security vulnerabilities identified in hardware as well.