What is Responsible Disclosure for Security Flaws?

Silverdot writes "In an article on ZDNet, the author brought up a few cases of uneasy relationships between security researchers and software firms. While those who report the bugs should first seek to notify and work with the software firm to resolve the flaw, One researcher commented: "All researchers should follow responsible disclosure guidelines, but if a vendor like Microsoft takes six months to a year to fix a flaw, a researcher has every right to release the details." Should the onus be on the software firm to manage each issue and the relationship well, or does it fall to the morally responsible user?"

The cost of secrecy

[denissmith]

The cost of secrecy is high. Reasonable response times ( up to, say, 3 months) before disclosure should be allowed - even for firms that seem to be sitting on their hands, and if the firm is close to a patch and they are willing to communicate and work with the researcher a longer time may be reasonable. Overall, disclosure of a problem is always in the USERS best interest, and secrecy is always in the SOFTWARE FIRMS best interest. The longer a known security issue exists, in secret, the more likely it is that someone else has found it - and that puts everyone at risk. The rights of users ( who are victims of the software firms bad code) should always come before the rights of the software firm. Always. So this means disclosure should be seen as a blessing. Those who complain about irresponsible researchers putting everyone at risk are wrong - everyone is already AT RISK. Failure to let me know what risks I face should be seen as the problem. I need to know.

Re:The cost of secrecy

[Grayputer]

It is in the best interests of the user community in several ways. First, it puts pressure on teh software company to patch quickly. Second, it allows users to compare patch histories (quantity and response time) in choosing a product/company. Lastly, the bad guys have a communications system just like the good guys, eventually it WILL be common knowledge on the 'dark side', it needs to be common knowledge on the 'light side' as well.

The issue is 'what is a reasonable timeframe'. Someone said 3 months, someone else said 1 week, and someone said it can take a year. As we all know, 'reasonable' is a subjective term.

I think 1 week is not sufficient. I work in a small software company and I deal with large companies. A large company can't issue a memo in 1 week, it can't get from the department where you reported it to the department that needs to fix it in a week (notify development, support, QA, and 'shipping/distribution' managers and get an impact statement).

As to the one year to fix it estimate, that seems very unreasonable, especially at Internet time speeds. The 'dark side' will be well versed in the bug well before that time has passed.

Is it 1 month, 3 months, 6 months, or 9 months? It probably depends on where the bug is located. We develop a small niche market piece of middleware. A 'full QA' run (specifically test new function, regression test all other functions) can take a couple weeks even using automated test suites (runs on 10+ platforms, several hundred tests per platform, some testing is single threaded due to 'expensive hardware' resource issues, some test have to be manual). Packaging issues across 10 platforms with doco can add a couple more weeks. All assuming we know the exact coding bug and do not have to analyse the reported problem.

So if a specific coding bug is reported in a core secton of the product, it can take a couple weeks of QA, plus Dev time, plus packaging, plus documentation, plus ... So a core change that impacts packaging and doco can easily be a month or more. On the other hand, a 'typo' that does not impact packaging (impossible, we have to release it somehow so some 'packaging' is needed) or doco can be a few days.

Consequently, I'd guess 1 month is too short as well. I'd posit that a couple of months (3?) from the time the coding level fix it identified is probably a reasonable startng point. Given some reports I've received it can take from minutes to a lifetime to narrow the reported issue to a coding level fix.

Re:The cost of secrecy

[Donny+Smith]

> I consider 1 week (5 workdays) a reasonable response time.

Response as in "confirming a bug report"?

What do you base your "reasonable" upon?

Are you aware that QA alone sometimes takes weeks?

I would prefer to keep the system exposed (in a controlled environment) to installing an non-QA-ed hack on my production servers.

"Responsible Disclosure" is a lie

[TripMaster+Monkey]

"Responsible disclosure" is a propganda term propogated by the software firms to a) get as much time as possible to fix security holes, and b) indemnify themselves as much as possible against any public disclosure of said security holes by labeling the disclosers as 'irresponsible'.

If a security hole exists, it exists, despite how much public discussion about said hole is quashed. Today more than ever, there are unscrupulous people out there laboring to find and take advantage of these holes. Muzzling the virtuous hackers, who only wish to make things more secure, is counterproductive in the extreme. The only 'responsible disclosure' is full and immediate disclosure.

Re:"Responsible Disclosure" is a lie

[garcia]

b) indemnify themselves as much as possible against any public disclosure of said security holes by labeling the disclosers as 'irresponsible'.

And to prepare legal proceedings against those that do end up disclosing the holes against the wishes of the companies trying to patch them (here).

Re:"Responsible Disclosure" is a lie

[gr8_phk]

"The only 'responsible disclosure' is full and immediate disclosure."

I'd argue that giving the software company a heads up to find a fix would be more responsible than immediate disclosure. There is no fixed amount of time either. If the company is unresponsive, wait as long as you feel appropriate and go public. If the company responds and appears to be making reasonable efforts to fix it, give them time. The public isn't going to fix the problem, so blabbing to them isn't going to help. Blabbing to them that the company has known for X months and isn't doing anything will help the public form an opinion about the company and move away from their products.

easy: immediate disclosure with technical details

If you find a security hole in someone else's code you can either:

1) use the DJB approach: reveal the hole in a public forum, preferably with a working exploit.

2) use my preferred approach: fix your clients' copies of the program, and otherwise keep quiet. Consider it a competitive advantage when the next Apache/SSH/PHP worm hits.

Any other approach is an utter waste of time, for everyone except the vendor.

If you reveal the flaw only to the author, you are:

a) Working for someone else without getting paid.

b) Saying "it's okay" to write software with security holes, because shucks, some kind soul will fix it for you.

c) Not telling the rest of us, the sysadmins of the world, how to protect our own systems. You see, the company or author has already demonstrated incompetence. Why help them? Of course you don't owe anybody anything (see point #a) but if you're going to tell anybody, tell the people with the most to lose!

Of course, I'm assuming we're working with software where you have the source code. Secure software without source code is an oxymoron. And no, I don't think the license makes code more secure, since maybe 95% of the coders out there can't code properly. My ability to audit is what makes it more secure, and yes, I do as much of that as I can.

Let me make the point clear: I don't care if the author fixes the code or not, or how quickly he can "patch". I need to know the details of the problem so I can solve it myself. That's what's important.

People who advocate "irresponsible disclosure" (my term for any disclosure that doesn't inform the end-user first) are really secretly afraid that someone will someday find flaws in THEIR systems and embarrass them. But that's the point: embarrassment is a cost, and people will try to minimize costs any way they can. At some point they will actually try writing secure software. And maybe at some point, users will start demanding secure software.

I think we can all agree that the security situation is getting worse, not better. Most of the software I see these days is garbage, to put it mildly. Bloated, complex, insecure.

Constantly holding the hand of authors via irresponsible disclosure is not going to solve the problem. Do you want to wait until the government regulates software, basically punishing everybody for the sins of the incompetent? Or should we let market forces do their thing?

Not necessarily

[dereference]

The longer a known security issue exists, in secret, the more likely it is that someone else has found it - and that puts everyone at risk.

I mostly agree with your overall analysis, but I'm compelled to point out that this one statement seems self-contradicting. What is the difference whether a security issue is "known...in secret" rather than simply "unknown"? I submit that a better way to say this would be that "the longer any security issue exists, the more likely it is that someone else has found it," without regard to how known or unknown it may be during the interim.

The only way this is not true is if you consider the (perhaps non-trivial) cases where the "secret" is leaked, intentionally or otherwise.

Plain and simple

[It+doesn't+come+easy]

Responsible disclosure from Microsoft's perspective: You tell us and only us. We'll tell the rest of the world when we think it's necessary (if ever).

Responsible to whom?

[miffo.swe]

Responsible disclosure has no real benefit to the end user. It may stop some percentage of big outbreaks of worms but it doesnt in any way make life for admins guarding sensetive information a bit easier. From what i have understood many exploits are used by crackers long before they are in the wild. That is, many networks and servers are broken into and gathered for intel long before there is a patch, sometimes even for years.

Responsible disclosure only lenghten the period for the crackers in wich they can use their exploits for real cracking. It gives at best a breather for software manufacturers to drag their ass. It also doesnt promote real testing and auditing of software before its shipped. I would as an end user much prefer more tested software, that includes OSS thank you very much. Current release cycles is way to short to give any time for testing.

That's because you're a defective person.

[bmajik]

I use OpenBSD too, so don't start with me.

How can you be happy when someone else is suffering? It's not your grandmothers fault she uses windows. OpenBSD is NOT appropriate for "home users", and it's not designed to be, and it cannot ever be as secure as it is yet as functional as required for non-power-users.

Every operating system in use on PC's has security issues, even openBSD. OpenBSD is where it is because it's entire focus is security/correctness.

Security and correctness are NOT the most important aspect of general software development - if they were the only requirements, then a lead box buried in the ground would easily be more secure than openBSD. The issue is functionality vs security and correctness.

When there is something that works as well as windows for what people that use windows need to do, but has fewer problems, people will change to it in droves. For some people, that is Mac OS - although it has its own severe security problems - do you laugh when people with macs have to reboot their machines because of SoftwareUpdates ?

In any case - 0 day full disclosure hurts the majority of computer users. No amount of pain will convince them to stop using windows. If you want people to stop using windows, develop a credible alternative. Don't sit and laugh at people that don't have better choices available to them, and then say things like "i support people making life harder for windows users".

Re:Openswan project directly affected

[Todd+Knarr]

Refuse to sign the NDA. Then make a public announcement: "$AGENCY has notified us that a possible vulnerability exists, however they won't tell us what the vulnerability is unless we sign an NDA. Comitting a patch to fix the problem to CVS or releasing fixed code before they allow it would violate the NDA, and we aren't willing to agree to deliberately not fix a security bug.". Let the resulting PR headache be $AGENCY's headache.