Revealing Security Flaws, or Keeping A Lid On Them?
Deciding whether or not to reveal a security flaw, a loophole or a glitch is not easy. One point is where to begin if you’re really doing to spill your guts about them, simply because someone who works in security will know of hundreds, perhaps even thousands of both minor and major flaws in various systems and setups. In many cases, that knowledge is contained to only the place where that person works, but in about equally as many instances, the flaws will be something that has been standardized across a manufacturer, a chain of stores, or other large corporate structure.
The problem of whether or not to, and also how to reveal such a flaw is only the beginning of the decision process. The question of «to whom» will come up pretty quick, and a question that bothers many security professionals regards what might be at stake for them personally, and what kind of repercussions they may face if the revelation is done in a perceived incorrect manner. The vows of silence that most employers make their employees sign upon accepting the job will count for just so much if the employee feels more loyal to his line of work than his place of work. Lawsuits and firings or the threat of such have little effect beyond producing fear in the employee, and does little to instill confidence and more important, progress.
The overall trend that we can see is that once a security flaw is revealed to the public, the situation is rectified, plugging the hole, or at least minimizing the effects of someone exploiting the flaw for some reason or other, be it info theft (IT security), burglary (e.g. alarm system flaws), robbery (cash handling routines) or other very common security systems and their shortcomings.
For many private companies, be they small or large, the question of whether or not to tighten security comes down to money. It’s as simple as that. If the money is there, then it’s very likely that the weak link will be reinforced, but if the budget will not allow for any immediate action to be taken, the wek point in security will be set aside, and other operational needs will be seen to first. In some cases, the security employee that saw the flaw, or got the first report will have moved on to greener pastures by the time a new budget rolls around, and the problem continues to hover in the background, forgotten until something, or someone happens that takes the weak link and twists it until it breaks.
So should security flaws be revealed to the public? In general, yes. Corporate security, IT security, airport security, government security – they all progress only when they are exposed to outside attacks, or inside attacks for that matter, and the more flaws that are exposed, the more of the holes will eventually be plugged, making for better and more efficient security that will be less of an inconvenience (like airport security today) and that will, perhaps, be accepted as an integral part of everyday life.