The annual summer bug parades at Black Hat and Defcon always leave me questioning motives. This year, as in the past, we witnessed a deluge of vulnerability disclosures, and many of them seemed to me to be beyond irresponsible. They were attempts at naked glory mongering, and that just plain stinks.
Before I defend my claims, I’ll say that I am a huge fan of freedom of speech. I don’t begrudge anyone the right to publish the results of their work. That’s not my point. My point is that it isn’t always responsible to exercise one’s rights.
I’ll use two of the vulnerabilities disclosed last week to illustrate what I’m talking about: the Apple iPhone SMS vulnerability and the Computrace LoJack laptop firmware vulnerability. Please note that I’m basing my statements on published reports of these vulnerabilities. I have no inside knowledge of how these issues were handled either by the product vendors or by the analysts who discovered and reported them.
According to the published reports, both of these vulnerabilities were reported to the respective vendors a fairly short time prior to Defcon and Black Hat, which were held at the end of July, and neither vendor had repaired its respective security defect by the time it was unveiled at the security conferences. There are