May 23, 2009
I’ve posted quite a few times on this topic over the years but things change over time and I don’t think we’ve (the industry) ever been more fragmented in terms of what we think is right or wrong about this topic? I am really keen to hear what people think, in their opinion, is right and what is wrong about vulnerability disclosure. Please post your thoughts.
I definitely fall in the responsible disclosure camp. Identifying vulnerabilities is an important part of the security industry. Such finds improve security when a limited disclosure is made with a vendor, followed by a full disclosure after a patch release. There are exceptions, but for the most part coordinating with the vendor works well and limits risk to the IT infrastructure.
My two cents,
Wolfgang
Every researcher seems to have their own opinions and they all think their position is correct. And to be fair, their points can be argued. At present, it’s based upon each vendor response and history. Is this all dependent upon the vendors coming into some sort of agreed code of practice? They are happy to set up “alliances” like SAFECode (that we all know lead to nothing) but how much easier would it be to set up a standard for vuln disclosure response? Naive response?
@Wolfgang, if you looked at the code from a security vendor’s product and found it so bad, would you have any faith in them actually being able to rectify things based upon you being responsible with them? Or them actually caring?
Responsible disclosure died a long time ago. Bring out crap and you deserve to be exposed for it. What is responsible? On whose part?
Is there any other industry/sector that expects “responsible”/secret disclosure for faults in their products? Serious question. Or have they all been regulated for so long that something like this ["responsible" and secret disclosure of faults], is just not even expected any more?
If there is, let me know.
Is open disclosure one of the incentives we need for better/more secure (quality) products being produced? Yes, I know the implications but does it speed up real improvements/value/benefits/security/etc?
Responsible disclosure can be a long, drawn-out and painful process. Barriers include:
* Obstructive public-facing staff who don’t take it seriously (ie. argue that they offer a secure product/service);
* Initial investment/budget was exhausted so the developer (human) resource is no longer available to work on it as efficiently as it might have done at the outset;
* Vendor might take a while to respond;
* Vendor might let it slip unless a date is agreed when the security researcher will publish it to the public regardless of any fixes (often this is an empty threat even the researcher will not go through with!);
* Vendor may not understand the vulnerability and/or how to fix it;
* Security researchers working on other projects too and time to “nanny” vendors is precious;
* More often than not, there is no reward/compensation *offered* by the vendor – a major de-motivator to spend the same amount of pain and effort reporting the next security flaw to the same vendor.
Responsible disclosure still has the inherent benefits of “buying time”. Arguably.
But… I can do a very few Google Code Searches and come up with tens of thousands of applications that have critical security flaws (and even backdoors!!1) in them. If reporting one single vulnerability to a single vendor can drag on for about 10 months (it happens!), who in their right mind is going to report it to 20,000 vendors and then follow all that up!?
The latter is potentially an argument for irresponsible disclosure.
Currently, per month, we hover around 100 to 200 responsibly-disclosed vulns that lead to advisories/patches/updates to *major* software. This is an important point: researchers typically don’t waste their time on say a web application that was used only 10,000 times. Yet malicious people convert that 10,000 into a botnet and you start to have a global problem. So 100 per month for a year, 1,200 fixes, compared to 50,000 vulns (conservative estimate) and growing (in open source software alone!), the battle is clearly being lost at the moment.
I personally have not gone the irresponsible disclosure route (yet?) because of integrity/ethical beliefs I have (my own limitation, not necessarily that of everyone else). Almost all of my work is internal and under NDA so thankfully it’s a lot easier on me as someone who personally security reviews vast amounts of code.
But if there was a shift in what was acceptable with regards to disclosure, it would be so easy to expose most of the world’s code as containing security flaws. Who wins?
It will never get fixed in time and the bad guys will (and do!) have a field day.
Areas of responsibility: we (security people) do our bit, vendors must do their bit, users of the software and sys admins must do their bit to get the updates.
When one of those parties doesn’t do their bit, that’s when there should be an option to break out of responsible disclosure. Name and shame the level that’s being a barrier because it has global impact.
Another case where it might be OK to talk about it before the fix is released is if the users/sys admins can mitigate it themselves and/or the software itself is discovered to be malicious by design. Do this under careful and informed advice.
My 2 pence. Thanks for the air time.
Does anyone know of a vulnerability clearing house as such, whereupon a “trusted” independent 3rd party could liaise and broker the researcher and vendor of code and set timelines for release to the public? A pre-cursor to CVSS?
Then we could go look at a trusted page and search products e.g. X company has Y flaws, published and unpublished of Z risk/seriousness? Am thinking a governmental/global sponsored and backed entity but with the professionalism of FIRST.org/SEI . It’s kinda like prohibition, take the secrecy and under the table dealing out of it and increase accountability?
TP, valid points raised. D2, valid. CERTs involvement…more? hmm…new business revenue models for struggling CERTs? Wondering though that ideologies vary and expectations of agreement/convergence on approach is too late.
Markets continue to grow for vulns and some do make some good money (or so we are told.
). Will some be happy to give away their work while knowing others are making dollars out of it. It could be argued that researchers – independent ones make the choice themselves to undertake the work. What guarantees should be there for any form of payment?
A lot of variables to consider. We’re (SG) somewhat less torn given like TP above, we’re engaged directly under NDAs to perform this work – paid and knowing the outcomes to a certain degree but not in all cases. It’s somewhat a case by case basis.
I am yet to meet a researcher though that has solely gone down one path – moreso working it also on a case by base basis. Good guys taking the moral high ground while the “bad guys” continue down their path regardless.
Do we inflict some short term pains for potential longer terms benefits? As posted above: “Is open disclosure one of the incentives we need for better/more secure (quality) products being produced? Yes, I know the implications but does it speed up real improvements/value/benefits/security/etc?” If accepted, this kills responsible disclosure. A lot to think about and maybe thinking outside the square is going to bring forward other ideas – whatever, anything coming out needs to be assessed from an overall value/benefit scenario. We have a long history of “great ideas” having taken us nowhere when looking at where we are today vs 10 years ago and more.
Ethics, morals….what do those outside the industry think about this? Would be interesting to get another perspective.
I fall more on the side of full disclosure than not.
- As a security admin, I want to know the holes. Covering them up with ignorance or secrecy does not help me.
- If we are to ever expect business and programmers themselves to code better and produce better products, we need to keep security visible and loud. Programmers are not all created equal and may simply not realize certain issues. Disclosure can help, not just the directly affected programmers, but others who can read the advisories.
- Some issues are not fully understood by the discoverer. How many crash bugs get termed exploitable because a second set of eyes took a crack at it?
All that said, I do understand some measure of responsible disclosure and buying time. And also about NDAs and finding issues while on the clock for someone else and not being able to talk about stuff. But I would hope there is always a time limit for being silent on unfixed issues. It would be a silly construct of business contracts that you might find a disasterous bug in a widely deployed system but be gagged because of legalities. The rest of us can only hope such things get fixed…but we’ll never know.
One bad thing about responsible disclosure, although this may be rare and better spoken to by those who’ve been through it: It enables bad business habits in stifling and keeping quiet security issues. In other words, business still holds the power to just not do anything about it. And I believe business will almost always do what economics or their stakeholders see in their own best interest.
http://www.gnucitizen.org/blog/exploit-sweatshop/
Interesting discussions here.