What you don't know about the security of your information systems can hurt you and probably already has. But how much information about security flaws is too much? Anything you're told about a software vulnerability, the villains surely will pick up, too.

Most people who manage information security say bring it on, subscribing to the belief that the more details they have about vulnerabilities, the better prepared they will be. They count on not only the software vendors' official security advisories, but also on researchers who specialize in analyzing products for flaws.

That's where the controversy heats up. Many researchers bring serious flaws to light, but others are all too willing to cash in on their cleverness by posting information about software vulnerabilities before vendors have a chance to patch their products. This shameless self-promotion of being the first to expose a key vulnerability can bring fame and consulting contracts. Other firms readily open up their checkbooks to pay hackers for dirt on flaws, doling out premiums for the worst flaws--ones that, say, Microsoft ends up rating critical. These disclosures are followed closely by malicious hackers looking for cracks to exploit. They also force IT staffs to drop more strategic projects in order to plug holes in their systems before the next big worm or Trojan strikes.

It's when these researchers also hold elite vendors--like Microsoft and Oracle--accountable that they earn their keep. Software is more secure today in part because the threat of public embarrassment hangs over the vendors, says George Roettger, Internet security specialist for ISP NetLink Services, in an E-mail interview. Researchers also wield a lot of power, he says, because their information can be used by "the bottom-feeder hackers who don't know much and learn from every piece of information available."

Metafile Smackdown

	Sadler wants to know: What do security companies stand to gain?

The experience around Windows Metafile earlier this year shows why these researchers are so controversial and powerful. WMF exploits represented a true zero-day attack, threatening several versions of Windows before Microsoft could issue a patch. In January, a vulnerability in WMF surfaced that let attackers use the Windows' graphics rendering engine that handles WMF images to launch malicious code on users' computers via these images. A number of security researchers posted information about the vulnerability to their mailing lists. Within a few hours, researcher H.D. Moore posted a working example of a WMF exploit--a piece of code written to take advantage of a software flaw--on his Metasploit Web site. Some defended the action, saying it offered insight into the rules security pros needed to put on intrusion-detection systems to avoid getting hit. Others argued that what Moore did enabled the average hacker to more easily exploit the flaw. "I guess both views are correct. The only practical difference between them is the intention of the 'security specialist,'" says Mati Aharoni, lead penetration tester with Israeli IT security education firm See Security Technologies, in an E-mail interview.

The hoopla about Windows Metafile led to some of the most frustrating days of Connie Sadler's career. "There were people predicting dire straits if we didn't do something," says the director of IT security at Brown University. "I had to put days aside from my regular job just to monitor different sites just in case something came up."

While the researchers kicked up dust, companies looking to defend themselves had few options. Microsoft's customers had to either wait for Microsoft's patch or install workaround code written by Ilfak Guilfanov, a senior developer at Belgian software maker DataRescue. Although Guilfanov's code got the approval of the SANS Institute's Internet Storm Center and security research firm F-Secure, it created a dilemma for people like Sadler. "If we ask our users to install that, it tells them it's OK to find and install a third-party patch, and it gave phishers an opportunity to exploit users," says Sadler, a former manager of global infrastructure security at Lockheed Martin.