Vulnerability Disclosure: The Strange Case of Bret McDanel

Responsible developers work hard to produce secure, reliable, and efficient software packages. No company wants its integrity compromised by hackers, employees, or legitimate users. Negative publicity damages a firm’s reputation. Legal proceedings can cost an organization millions and destroy any chance of long-term success. Realistically, few products are released without security flaws. Programmers and system designers strive to find security bugs during the development cycle or at worse during beta testing, when bugs can be fixed easily. Careful testing will allow internal programmers to debug the software without publicity or industry notice. The outcome may differ if outsiders discover a security breach. Malicious hackers may exploit the breach to obtain classified information, to destroy the integrity of the information, or simply for the challenge. Even self-described “ethical hackers” may share this information with no discretion. Given the speed of the Internet, security breaches can be transmitted worldwide in hours. This article deals with vulnerability disclosure, where the details of a security breach are freely available. It also deals with the bizarre case of Bret McDanel, a young computer expert who spent 16 months in federal prison after he exposed a security breach in his former employer’s software package.