This morning I noticed that McAfee announced yesterday that they fully intend to once again enter the game of public vulnerability disclosure. Now, as you may or may not know, I'm a huge fan of full-disclsure; given my belief that full-disclosure is a productive activity, my first thought was "good for them - get that return on the 80 million dollar Foundstone investment." But then I started thinking through the subtleties of this, and I started questioning the appropriateness of an AV company participating in full-disclosure. How could it possibly be an issue, you ask? It'll take a bit of explanation to get there, but there could be a potential conflict of interest in this. It's a conflict of interest similar to the one I pointed out when Symantec bought SecurityFocus:
So, a few years ago Symantec bought SecurityFocus right? Symantec sells a bunch of stuff like AntiVirus, IPS, IDS, and so forth. And SecurityFocus hosts both the BugTraq and the vuln-dev mailing lists, both of which are now moderated by Symantec personnel - which means that Symantec has notice of upcoming vulnerabilities before any other product vendor out there. Do you think it would be worth Symantec's time to notify their IDS engineering team about new vulnerabilities before they approve disclosures according to their moderating process? I do. Do you think it'd be worth Symantec's time to "sit on" messages awaiting moderation for a period of time (maybe even a few hours) while their engineering team has a chance to develop signatures for a particular piece of exploit code or while they develop a technique to prevent that issue? I do. Conflict of interest. Now, to give Symantec due props, they're probably not doing this... But do we have assurances to that effect? Maybe they reassure us somewhere, but I can't find it in their moderation policy...
It seems to me that there's something similar going on with McAfee... McAfee said this in their press release:
McAfee announced its reemergence in the field of vulnerability discovery and disclosure as a way to raise public awareness of potential points of attack... McAfee will also use its findings to help provide preemptive protection to its customers before targeted exploits can become serious problems.
So, McAfee will raise awareness about avenues of attack; that's one way of looking at it. Of course, some in our community would say that they're raising this awareness by creating new avenues of attack, which makes it somewhat less noble. You can choose to believe that or not, but it's certainly not an unheard of position to argue that bugfinding increases risk. McAfee says they're using their findings to provide preemptive protection, but some would argue that they are selling a solution to a problem that they helped to create. Is that a conflict of interest? Is it appropriate to both discover new vulnerabilities and sell solutions to the vulnerabilities you discover? As a staunch capitalist, I'm tempted to just say "yes" and be done with it. But it also seems to me that there's something to be said for avoiding "appearance of impropriety" - clearly there's a segment of reasoned, intelligent infosec luminaries who see McAfee as both creating risk and selling risk reduction... Maybe that's not McAfee's fault, but well... there it is.