Three Cheers for Disclosure

A funny thing's been happening on the security mailing lists lately, and it's got me shaking my head.

Next Generation Security Software (NGSSoftware), has been publishing vulnerability alerts for a couple of years now. It's most notorious for a July 2002 demonstration of the vulnerability in the Microsoft SQL Monitor protocol, a protocol used by SQL servers to discover other SQL servers on the network. That vulnerability, although patched at the time of disclosure, resulted in the SQL Slammer/Sapphire worm in January 2003, considered to be the fastest-spreading worm ever.

After being broadly chastised, NGSSoftware took the position that the details of its discoveries should be held for a period of time after the Microsoft patch was released. Until Slammer, the position was simply to ensure Microsoft had released a patch prior to disclosure.

I'm not trying to rehash the old disclosure debate; there are many people who support the entire spectrum of choices regarding disclosure, from immediate and full to none at all. Instead I'm shaking my head at the number of people who now seem confused over NGSSoftware's decision to publish details 90 days after a patch's release.

A spate of detailed disclosures regarding vulnerabilities patched last fall have been hitting the security mailing lists. They provide far more details than Microsoft had supplied in its respective Security Bulletins, and help security folks who feel they need such details. Still, I've been receiving numerous responses from mailing list subscribers that these vulnerability notices are simply advertising for NGSSoftware.

Well, of course they're advertising! That's been part of vulnerability notices for many years now. But it's unfair to label them as only advertising, since they are providing the extra, detailed knowledge so many seem to feel they need. I presume they need these details to write their own intrusion detection/prevention system (IDS/IPS) signatures for attacks that may be based on the vulnerability, or they want to craft their own exploit code to perform vulnerability scans on their systems. At least that's historically what people say they need those details for. I've yet to see a single response from anyone applauding NGSSoftware for releasing these details.

All this makes me wonder just how necessary they really are. I'm not saying they shouldn't be released, but I am wondering who's using these details, if not the myriad security professionals on the security mailing lists.

I believe the vast majority rely on others to absorb the details and transform them into something usable like a new IDS/IPS signature, a test for a vulnerability scanner or a new best practice; most don't actually need these details.

This is how the anti-virus industry works. For the most part, companies keep quiet about the details of the hundreds of new viruses reported every week, except among those in the industry who create the antivirus programs used by consumers. If there's a soft underbelly of the security industry, it's the disclosure of proof-of-concept code to millions who generally either aren't technically savvy enough to do anything with it other than run it, or wouldn't run it even if they could, for fear of the ramifications such a program might have on their production environment.

I applaud NGSSoftware's disclosure position, and hope it's emulated more often.

Russ Cooper is a Senior Information Security Analyst with Cybertrust, Inc., He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most- recognized security experts, he's often quoted by major media outlets on security issues.

Russ Cooper's Security Watch column appears every Monday in the Redmond magazine/ENT Security Watch e-mail newsletter. Click here to subscribe.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.


  • Microsoft In Talks To Acquire TikTok

    A deal between Microsoft and Beijing-based ByteDance is in the works that would have Microsoft acquiring some of ByteDance's holdings in the TikTok social media service.

  • Some Cortana Features Ending as Part of Microsoft 365 Shift

    Microsoft may be promoting Cortana more as a Microsoft 365 business perk, but the digital assistant will soon see several of its capabilities falling out of support.

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

  • Tasks in Teams Starts Rolling Out to Some Microsoft 365 Users

    Tasks in Teams, which pulls together information from Microsoft task-creation apps like Planner and To Do, has started rolling out to "a small group" of Microsoft 365 users.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.