VPS and dedicated server hosting company
Future Hosting announced its support for “responsible disclosure” recently. The company, which has headquarters in Southfield, Michigan, USA, was established in 2001 and offers a range of hosting services. Its suite of services includes dedicated servers, Virtual Private Servers (VPS), and hybrid Virtual Private Servers. The company’s announcement refers to the disclosure of security vulnerabilities.
Future Hosting’s announcement is a response to “multi-stakeholder talks” arranged by the U.S. Department of Commerce’s National Telecommunications and Information Administration. The talks are intended to engage software developers and security researchers in discussion regarding the issues related to disclosing security vulnerabilities. “Responsible disclosure” is a term that applies to disclosing vulnerability details “after an agreed period of time has elapsed”. This enables developers to produce patches and counters the "security by obscurity" approach some take to vulnerabilities, that being, ignoring them in the hope that “they will not be discovered” or “exploited by malicious individuals”.
The company suggests that all complex software is prone to vulnerabilities. These can be caused by programming mistakes that are leveraged by malicious third-parties to steal data or even control entire computer systems. On occasion security researchers are subject to legal action in a bid to restrict information about possible vulnerabilities within a system. However, Future Hosting believes developers should be given enough time to address vulnerabilities and create patches before researchers announce vulnerability issues.
“We support responsible disclosure because it helps align the interests of software developers with users,” explained Future Hosting’s Vice President of Operations, Maulesh Patel. “Security researchers should, of course, give developers a reasonable amount of time to create patches and fix vulnerabilities, but if they appear unwilling or unable to do so, it's important that users of the software can make an informed choice about the risks. As a hosting company, we manage a complex software stack on behalf of our clients, and we need to know that we have the most up-to-date information about potential vulnerabilities in order to keep our clients safe.”
What are your thoughts? Is “responsible disclosure” viable? Add your comments below.
