Is responsible disclosure responsible enough?

A Jeep taken over from 10 miles away via in-car entertainment system in the summer and just this week news breaking of critical medical devices that are being 'owned' by botnet operators. Vulnerabilities in your web browser are one thing, but when they are in your car or an MRI scanner then the potential impact takes on a different hue. As, indeed, does the small matter of how the security researchers who most often uncover the coding flaws disclose them. New research from AlienVault reveals that 64 percent of security professionals think that when security researchers get no response from vendors when it comes to disclosing a vulnerability with 'life-threatening implications' then the vulnerability should be made public. Some 19 percent of the 650 IT security pros questioned at Black Hat in Las Vegas earlier in the year went as far as to say the vulnerability should be fully disclosed to the media. This is in stark contrast to the traditional process of responsible disclosure whereby all stakeholders agree to a set period for a fix to be produced before any such publication. SCMagazineUK wondered what industry insiders thought, so we asked them...