Full Disclosure - History

History

The issue of full disclosure was first raised in the context of locksmithing, in a 19th century controversy regarding whether weaknesses in lock systems should be kept secret in the locksmithing community, or revealed to the public.

According to A. C. Hobbs:

A commercial, and in some respects a social doubt has been started within the last year or two, whether it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.

Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.

It cannot be too earnestly urged that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear, milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased.

— A. C. Hobbs (Charles Tomlinson, ed.), Locks and Safes: The Construction of Locks. Published by Virtue & Co., London, 1853 (revised 1868).

The full disclosure debate came back to life through dissatisfaction at the methods employed by the Internet security infrastructure in the early 1990s. Software security vulnerabilities were reported to CERT, which would then inform the vendor of that software. Public disclosure of the whole would not take place until the vendor had readied a patch to fix it.

However, since the disclosures were private, some vendors took years to produce a fix, or never produced a fix at all. In the meantime, the vulnerabilities were actively exploited by hackers. Vendors ignoring warnings and relying on the ignorance of attackers appeal to security through obscurity - however there is a well-established principle that obscurity should never be used as a primary security measure, and at some point vendor reliance on obscurity becomes a fraudulent misrepresentation of the security of their products.

Since CERT and the vendors were aware of the holes, but attempted to keep them secret even to the administrators of machines being hacked in the field, it was felt that CERT's policies were a manifestation of an impractical, "ivory tower" attitude.

In response to this, mailing lists and other avenues for full disclosure were established, notably the Full disclosure mailing list.