When security vulnerabilities are discussed, the term responsible disclosure often comes up. It is a rather perverse term, since responsible disclosure is based on the idea that software developers do not have to be responsible for security. With responsible disclosure, software developers can continually introduce security vulnerabilities in to their software. They are only being irresponsible if they don’t fix vulnerabilities once they are notified of them. Even that is overstating things, as software developers don’t face any long term consequences if they don’t do that. The party that does face potential consequences are those disclosing vulnerabilities if they haven’t done things to someone else’s satisfaction. It is impossible to avoid that because people have incompatible views of responsible disclosure is. For example, we had a developer criticize us for ever disclosing a vulnerability, saying responsible disclosure means only disclosing it to the developer. That runs directly against the disclosure part of responsible disclosure.
Software developer’s responsibilities are put on others in additional ways. We were recently contacted by someone wanting us to provide them with free help dealing with the aftereffects of their website being hacked caused by WordPress plugins from a major WordPress plugin developer. Or more accurately, their belief that the plugins were responsible for the hack. That was despite them paying the plugins’ developer a significant amount for support for those plugins. [Read more]