Linden Lab suggests viewer security vulnerability disclosure group

Over on the Second Life viewer development mailing list, there's a spirited discussion in progress about the suggestion of a notification list for viewer security vulnerabilities. The principle idea is that distributors of third-party viewers would get slightly earlier notification of vulnerabilities and exploits in the viewer code so that they could have secured versions of their Second Life viewers available to the general public at approximately the same time as secured versions of the first-party viewer become available.

Linden Lab has invited debate on what sorts of people it would be reasonable to disclose the information to (for example, perhaps only those who had signed a non-disclosure agreement). The topic has, naturally enough, brought out considerable debate as to whether such a group is necessary or even desirable.

As a general rule, a majority of Second Life users never become aware of actual security vulnerabilities in the viewer, or if they do, rarely take any action to mitigate or prevent exploitation of the vulnerability (in such cases where such mitigation is actually possible). Among the users, tales of security exploits abound like urban myths, with few having any basis in fact (certain days of the year are particularly prone to such tales).

In such cases, public disclosure of security vulnerabilities prior to patched viewers becoming available advantages the would-be exploiter and disadvantages the majority of users.

On the other hand, such disclosures allow a minority of users (who become aware of the problem and are able to do something about it) to take mitigating action to prevent themselves from falling victim to the exploit.

This is in contrast to late-disclosure, where a patched viewer is available immediately at the time of disclosure, but has left all of the users ignorant of the problem (except those who might already be exploiting it).

As for the exploiters, frequently all it takes is a slight hint about the nature of the issue (packet spoofing, buffer overflows that allow certain things) for them to be able to identify and produce a software exploit within only hours. Indeed, the majority of software exploits that are patched are ones that are already being exploited. It's the actual exploitation that draws attention, and once the vague nature of it is known, it isn't hard to identify the problem.

Unfortunately, it may be rather harder to fix than to find.

A recent round of such fixes took nearly two weeks to successfully deploy (and had plenty of issues of its own) and probably took at least as long to develop the fixes in the first place. It also left third-party viewers (and users of same) behind, as they were not made aware of necessarily incompatible changes before those changes were deployed.

What do you think, should Linden Lab disclose the details before starting to fix things? Should they disclose to third-party viewer teams before the general public? Or should they patch their own viewer first, and let the third-parties scramble to catch up later?