This article by Pete Bigelow on AutoBlog asking whether cyber-security researchers can continue studying cars or not was an interesting read:
By allowing vehicle security researchers to hack cars and publish details of their exploits, federal officials said they feared they could encourage people with malicious intent to infiltrate vehicles.
One of the chief ways they might ease that concern would be by imposing 90-day waiting period before independent cyber-security experts could share details of their efforts.
Officials with the U.S. Copyright Office floated that idea – essentially a compromise – during a hearing Tuesday that may determine whether security researchers can continue to access software coding that runs many critical functions in cars without fear of legal repercussions.
Proponents of independent car-hacking research have asked the Copyright Office to grant an exemption under provisions of a federal law that governs access to copyrighted materials. They say this sort of independent research plays a critical part in pushing manufacturers to better protect their vehicles, but OEMs argued their disclosures increased the potential for harm. That grim possibility seemed to register with copyright officials Tuesday.
“What if you find a vulnerability the bad guys don’t know about yet,” asked Jacqueline Charlesworth, general counsel and associate register of copyrights asked during the proceedings held at the UCLA School of Law in Los Angeles. “That’s what I’m struggling with here.”
Disclosure has always been a sticking point in the security research world. On one hand, there is a group of folks who prefer vulnerabilities remain secret – sometimes until fixed, sometimes for a specific period. On the other hand you have those who believe by immediately disclosing the security vulnerability it places pressure on the manufacturer or developer to issue a quick fix.
Personally, I am in the latter camp. There are very few instances where delaying disclosure is a good thing.
In most cases, malicious actors, especially those backed by nation states, are already aware of the vulnerability and have it as one of the tools in their arsenal. The longer it takes to issue a fix, the longer these actors can leverage the vulnerability to compromise victims all over the world.
Sometimes our very own NSA uses this tactic, which is likely why they prefer long disclosure times. This way they, too, can leverage the vulnerability in their worldwide CNO campaigns.