This is a multi-part question....
In regards to the ASP.NET Padding Oracle, (demo link)was that security exploit dealt with in an ethical manner? What could have been done differently or better?
What are the incentives to handle an exploit in the most ethical manner?
What can the InfoSec industry do to incentivise (financial or otherwise) the proper handling of security issues?
Quite similar question is already here: How to disclose a security vulnerability in an ethical fashion?.
What about current topic and the way how vulnerability was disclosed - not bad, but still, IT security community is in the search of more ethical ways of vulnerability disclosure. Well, researchers could inform (or maybe they have done that, don't know) vendor, wait some days, months, maybe years when the bug is patched. At that time vulnerability could be exploited. Moreover, who said that this vulnerability was not previously exploited by black-hats? When the bug is publicly known, it has no more value on criminal market, it is easier to defend, easier to stop script-kiddies attacks, comparing to skilled black-hats. There are endless topics about FD and RD, with numerous pros and cons.
Taking into account known manner of known vendors response, no surprise that researchers act like that. Remember "No more free bugs" movement.
Padding oracles have been known about for years. This is a best-effort full-disclosure situation since so many apps are affected. MyFaces was spoken to a year ago, but now ASP.NET apps (e.g. DotNetNuke) are under the gun.
I think it's just another iteration of full disclosure vs responsible disclosure debate that's going on within the IT security industry for years now. It's just a matter of personal opinion, each side has it's own strong points.
Often cited pros and cons of each approach are:
Full disclosure:
Pro:
Con:
0-days put all users in danger until patch is released
It might be done for fame only
Responsible disclosure:
Pro:
Vendors like it, they can plan & allocate their resources and test the patches
No users are at risk (if black hats don't find out)
Hey, responsible is such a positive word ;)
Con:
Vendors tend to ignore the reports or delay the patches
The vulnerability is out there, unpatched
No information for users on how to mitigate the risk
Getting back to the 'was ASP.NET padding oracle disclosure ethical'. In my opinion, it's ethically right to disclose the issue anyhow researcher decided, be it a 0-day with the exploit, a private e-mail to vendor or a public disclosure. Their decisions are usually well thought-out even if you don't agree with them.
There are only two wrong approaches: forget about the discovered issue (if it seems serious) or sell it at the black market. Apart from that, it's researcher's sole privilege to decide.
I'm not sure that "ethical" is really involved when dealing with exposing exploits. Exploits are totally un-ethical and totally anti-social, so exposing them at any cost seems acceptable to me. Even a totally botched exposure is less un-ethical and less anti-social than the exploit is.
To me it's kind of like asking, "Is there a nice way to kill someone who's trying to kill me?"
I'm not deeply familiar with the specifics of the disclosure, but as far as I know it was handled in a reasonable way. I'm not aware of any ethical issues associated with the disclosure.
For example, I think it was fully ethical to disclose the existence and nature of the problem. As @atdre mentions, padding oracle attacks have been known about for years, so blackhats may already have known about this attack, for all we know. Given the severity of the problem and the broad scale of the problem, it was critical to get the word out quickly. So I'm not aware of anything that the researchers did wrong.
If you think there's something in particular about how they handled disclosure that raised ethical questions in your mind, I encourage you to elaborate about what that was.
