Hacker News new | ask | show | jobs
by BeefWellington 830 days ago
The general theory is that there's really no such thing as silently patching. Consider:

- Company silently patches issue. Patches have to be applied, which can take some time if people don't know they need to apply them. Even in the case of automatic updates, patching can be delayed if it requires an app restart, for example. - Malicious actors examine patches, work out exploit, begin exploiting in the wild. - Customers left in the dark. - Company assumes that having issued patches is good enough, substantially delays disclosure.

Co-ordinated disclosure aims to prevent all of that by ensuring everyone knows about it at the same time. That removes some of the ability of threat actors to exploit and allows SOCs, EDRs, etc., to update as well, so anything unpatched gets caught. If there are workarounds or other defenses that can be implemented until patching is possible, those can be employed as well.
2 comments
octagons 830 days ago
For anyone trying to understand the issue at hand, this is an excellent summary. Thanks for your comment!
link
rovr138 830 days ago
Not sure how this,

> Co-ordinated disclosure aims to prevent all of that by ensuring everyone knows about it at the same time

helps with this,

> Even in the case of automatic updates, patching can be delayed if it requires an app restart, for example.

Not saying they don't have a use-case. Just not sure how it's fixed.

link
BeefWellington 830 days ago
For starters, it (hopefully) delays when a bad actor knows about it, meaning they start their process of reverse engineering the vulnerability after customers have been notified.

There are always going to be situations where out of date software hangs around. This at least levels the playing field when compared to the idea of trying to silently patch something.

link
hazmazlaz 830 days ago
It is common for organizations to delay routine patching for some fixed period of time (allow others to be early adopters and assume the risks of negative impacts from the patch), and/or schedule patches to occur during a predetermined maintenance window.

When you make a public security disclosure coordinated with the release of a patch to fix the issue disclosed, you alert the aforementioned organizations that there is an exploitable security vulnerability present and allow them to make an educated assessment of the comparative risks of patching immediately versus waiting and potentially being exploited.

It's not a perfect system, but transparency is the best compromise possible and allows everyone to make an educated choice. All other options have greater downsides.

link