Slashdot Mirror
X-Force Changes Vulnerability Disclosure Policy
BitHive writes "ISS has changed their policy for announcing security vulnerabilities. The new guidelines will give vendors thirty days to come up with a fix before disclosure is made, though there are a number of exceptions that can prompt faster disclosure. From the PC World article, these are: "The vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability occurs on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; or the vendor is unresponsive.""
Their criteria sound pretty reasonable to me. They've tried to reach a balance between the rights of sysadmins to know their systems are vulnerable and their responsibility when the tell script kiddies about exploits before they've been fixed.
exploit discovered by people looking for exploits; exploit get exploited and appears in 2600; vendors deny exploit until fix is built; dumb people open all email attachments looking for funny pictures; Anti virus and firewall companies make money; Questionable fix is released but some new exploit has taken the limelight; exploit is denied by vendors...
Did it occur to the powers at ISS that this rule basically just enlarges the window for exploits to be exploited? The real danger zone is the time between the discovery (not necessarily the disclosure!) of the vulnerability, and the point when a certain critical mass of vulnerable boxes are patched.
How many people patch their systems the day the patch is released? Certainly, I do, but does even the majority do so? I doubt it. Moreover, they're giving 30 days for the script kiddies to run amok while we are clueless. They will certainly find out, if there is even an inkling of information about the exploit. IRC is much more effective than ISS anyway.
Nice to know that black hats will always have better information than us. Thanks ISS. Another step backward in the fight to preserve our systems.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
This opens the door to massive corruption if insecure firms pay off security reporters.
The same could (should!) be said about the police. Should we abolish policemen?
Anarchy is a better answer than corporation-cum-government forced secrecy, but it's still uncivilized. It should be someone's job to tread that tricky middle ground where the vulnerability is not irresponsibly publicized, but the vendors of the insecure software are not allowed to unreasonably suppress the details of the vulnerability. In other words, someone to maintain the threat of publicity just long enough to force the vendor to patch the wares as fast as possible, but not at the expense of end users everywhere.
Sounds like the ISS is stepping up to the plate and doing just that.
It sounds eminently reasonable - the best for all concerned. 30 days is not a long embargo, and their list of exceptions seems to me extremely thorough. This appears to answer criticism that "premature disclosure" is irresponsible (a criticism which I don't give much merit, but others disagree) with an intelligent and nuanced policy.
The message to vendors: we'll cooperate with you, if you act responsibly and respond quickly.
Quickly being the operative word. The tragic thing in the disclosure and response-time debate is the assumption that if the white-hat side discovers a flaw, they're the only ones who've found it... and just because you can't find a paper or an exploit after a bit of looking doesn't mean it's not out there.
Certainly, there is a long history of big vendors (I wont name any names... ah, whatever, Microsoft) who completely ignore (i.e. wont return calls) or yes the helpful hackers to death (i.e. yes, it's on the list, we'll have a new patch _any day now_ - rinse, repeat for 6 months), and then whine when the disclosure becomes public... even as the publicity stings them to finally bestir themselves to release a patch. So I'm very glad to hear of those in the security community making a logical response to it all.
Want to Know How to Cheat the GPL? Read On!
The change is that if either the mainstream media starts spreading (usually inaccurate) info about the problem, or there's already an exploit in the wild, the 30 period goes right out the window as pointless. ISS isn't gonna keep it already a secret if somebody else is already spilling...
Apache gets 30 days if and only if the hole is still secret. If a black hat group looks at Apache's code and finds the same hole and puts an exploit into the wild, Apache gets no notice at all.
Microsoft has an advantage at preventing this situation... black hats, or anybody else, can't look at MS's code.
This opens the door to massive corruption if insecure firms pay off security reporters.
Your argument is that this open change in their disclosure policy is a slippery slope to behind-the-scenes cash-for-silence deals. In my mind, the threat of such deals is not influenced whatsoever by the open and stated policy of ISS but rather by their corporate ethics. ISS and other security companies which deal with the government gain vast swaths of revenue due to the fact that they retain their integrity by laying out rules and following them. A single deal of the type that you mention would put the profits of the entire company and all its public shareholders at risk. In short, I believe your hypothesis is unfounded.
Kill Trolls Dead. Here's
Well, these "guidelines" are common sense to every researcher who has a bit of heart for the field of work. I guess their partners were finally able to beat some reason into these ISS people. The recent BIND fiasco proved once and again that these "security researchers" value headlines more than their supposed mission statement. (Yes, I know, we all like to earn a buck, but in every profession you have your moral obligations.) ISS deliberately rushed advisories, and I don't think the issue was due to a lack of guidelines - this policy was a strategic move to get news stories at the expense of the users worldwide. These malicious practices are a disgrace to the security community that has come such a long way, and although ISS are not the only ones, they have probably been the most high-profile commercial predators.
;)
Anyway, we've heard similar promises before from OIS (of which ISS is a founding member) and it never stopped ISS from unethical behavior. But now apparently it bit them in the ass. I am surprised that nobody of their "alliances" denounced ISS for their malpractices earlier; I suspect this has been done behind the curtains, but granted, as long as it's effective, fine with me!
So way to go ISS, but I wouldn't already sing hallelujah - they were always wrong and this is just normal.
Well the guidelines are not bad at all but 30 days may be too much. We know that are frequent parallel discoveries and that there are some organisations that are quite stubborn to change their behaviour toward security. While 30 days might be a acceptable span for most problems, I would prefer a more graduated exposure timeline, based on some criteria. For example:
If the exploit is highly dangerous, but complex, it would be preferrable a step-by-step disclosure in a period up to 30 days.
If there are middle-term solutions capable of making a temporary solution, then the problem is disclosed in a shorter period.
If the vendor/developer has a terrible record of playing "it's a feature not a bug", then no pitty on him. Either disclose ASAP or in shorter periods. This could be a good instrument to punish their lamerness.
If the vendor/developer comes up with half-measures and dubious patches, disclose without pitty.
And, besides, I believe it would be good to get some early warning stuff. Or disclosure may catch many people asleep. Maybe it would be good to get a standarized warning message 24 or 48 hours before disclosure, that something wrong may have happened with that or that app. This message should n no way be similar to press releases the Mass Media uses to pump over the crowd. Or else we may risk having information spoiled by some journalists trying to gain points in their careers.
Let's not forget the way things *used* to be. A few years back, the rule was that a small cadre of elite people knew about the vulnerability before the rest of the world. This caused lots of problems, which was one of the reasons for rfp to push for responsible full disclosure in the first place.
The ISS policy represents a regression back to the old way of doing things, except now the cadre of people "in the know" are the ones who can afford to pay ISS for advanced vulnerability information. Presumably the rest of the world has to suffer and get hacked. Support companies and organizations who TRULY practice responsible full disclosure -- don't support companies trying to make a quick buck off this kind of extortion.
Of course if you pay ISS money you can be a customer of theirs then you will find out about security issues in advance, a day after the vendor is notified (or an attempt is made to notify).
How can this be responsible disclosure unless they make sure that all their customers are "good guys"?