Slashdot Mirror

← Back to Stories (view on slashdot.org)

Responsible Disclosure — 16 Opinions

Posted by ryuzaki0 on from the one-man's-meat dept.

An anonymous reader writes, "Disclosure. Just a word, but in the security field it is the root of progress, sharing knowledge and getting bugs fixed. SecurityFocus published an interesting collection of quotes about the best disclosure processes. The article features 11 big vendors, 2 buyers of vulnerabilities, and 3 independent researchers. What emerges is a subtle picture of the way vendors and researchers differ over how much elapsed time constitutes 'responsible.' Whereas vendors ask for unlimited patience, independent researchers look for a real commitment to develop a patch in a short time. Nice read." Wikipedia has an entry for "full disclosure" but none for "responsible disclosure."

7 of 87 comments (clear)

  1. Information was okay... by HatchedEggs · · Score: 2, Interesting

    It really wasn't so indepth, but it was interesting the statement by each of those companies. The one that impressed me the most was SAP, where the vendor and the researcher would agree on action to be taken at the time of the disclosure.

    I do think that the ethical approach is certainly approach a vendor first. Inform them that they have a given time to apply a patch to it, and then hold them to it and release the information at the end of that time.

    --
    Justin - Don't be afraid of my blog, it won't bite.
  2. Definitely worth the read... by tygerstripes · · Score: 2, Interesting
    I'm not particularly interested in exploits and such per se, but I found the article fascinating anyway. Sure, some of what they said was interesting - especially the researchers - but the most interesting thing was the tone of the Vendors' statements

    Seriously, have a look. If you're at all used to reading between the lines, their statements regarding security, disclosure etc give you a far greater insight into their real attitudes than any marketing, reviews or horror stories ever could.

    --
    Meta will eat itself
  3. Responsible Disclosure == hiding vulnerabilities by QuantumG · · Score: 4, Interesting

    The responsible vendor takes time to vet the problem within their own lab. They have to develop a patch, [they] Quality Control it and then publish the patch. Microsoft and Oracle average about 120 days to do this.

    So, in order to be "responsible" you have to keep the vulnerability secret for 120 days. Four months. You're kiding right? Say I'm an independant researcher. I find this vulnerability using no special skills and publically available tools. Clearly a highly skilled blackhat could just as likely have found the same vulnerability as me. Let's suppose that I've found this vulnerability in the first 2 days of a new release of the product under inspection. The blackhat could well have discovered it in the same number of days, but let's say it takes him a month longer than me, just to be generous. I'm supposed to sit on this vulnerability and let the blackhat break into systems using it for how long? 3 months? This is responsible? Wouldn't it be more responsible if I were to go public immediately? Obviously publishing tools which script kiddies can use to attack people is not a good idea, that's not what we're talking about. Surely I should at least tell people that I have found a vulnerability and that the software in question is not, in my opinion, something that you should be using if you care about security. Isn't my failure to do this just make me complacent in a conspiracy to hide that fact that people may be breaking into systems using this vulnerability?

    What if I'm an IDS manufacturer? I start getting alarms that shell code has been detected in a protocol stream that has never before seen shell code in it. Analysing the incident I discover that there is a vulnerability in a particular daemon which these attackers are using to gain unauthorised access. Who should I inform? The vendor of that daemon? My customers? Or the general public? This is no longer a theoretical "the bad guys might know too" situation, this is a widespread pattern of attack that I have detected indicating that real harm is being done. If I fail to inform the public immediately, am I not complacent in helping nto more computers? Doesn't sound very responsible to me.

    --
    How we know is more important than what we know.
  4. If I were Microsoft by Lord+Ender · · Score: 5, Interesting

    If I were deciding policy for MS or any other big vendor, I would publish a "hush money" policy on security vulnerabilities.

    Basically, it would go like this:

    "If you discover a vlunerability and report it only to us, when we eventually release the patch, we will give you credit for discovering it (what researchers really want), and we will give you $10,000. If you report it to anyone else before we release the patch, you will get no money and no credit."

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:If I were Microsoft by QuantumG · · Score: 1, Interesting

      I happen to know some people who have exactly that relationship with Microsoft.. except for the whole credit part.. they sell the rights to that along with their soul. Of course, seeing as I'm not about to give up the names of these people, you'll just have to take my word for it (or call me a lier, whichever you prefer). Microsoft doesn't make this policy public because it is out and out unethical. People have a right to know the risk of running Microsoft software, but so many security flaws are fixed in service packs without even a mention as to their existence.. therefore customers have only a vague idea of how important it is to upgrade.

      --
      How we know is more important than what we know.
  5. Re:5 days with MS?! by Kirth · · Score: 2, Interesting

    Give em 30 days at least.

    Why? MS has proven it can fix a hole which allows reading of its DRMd content in 3 days.
    http://www.schneier.com/blog/archives/2006/09/micr osoft_and_f.html

    --
    "The more prohibitions there are, The poorer the people will be" -- Lao Tse
  6. Re:Wikipedia by Anonymous Coward · · Score: 5, Interesting
    Wikipedia has an entry for "full disclosure" but none for "responsible disclosure."
    Seems like the one should just be a redirect to the other. Or, better yet, maybe "responsible disclosure" should redirect to "anonymous disclosure".

    I attempted to get [multi-billion dollar company] to fix a gaping security hole that was well-known to persons using [their product] which has support & licensing fees upwards of $300,000 per year. Their response was to tell my management that I was a loose cannon and should be fired (luckily my management told them to get stuffed, but the hole still wasn't fixed).

    So I sent [multi-billion dollar company] an email from my infant daughter's email account (yes, I create accounts for my kids when they are born, shut up) informing them that the details of their security problem would be published on the bugtraq mailing list in two weeks, and attached a copy of what would be posted.

    In less than 48 hours, I was contacted at the "postmaster" address for the email domain by [multi-billion dollar company] who informed me that we (the domain's registered in the name of a friend of mine, so there's no visible connection to me) were harboring an evil criminal hacker at [email address of my daughter] and that I needed to give them personal information about that user. I replied "oh, gee, thanks, that account belongs to a two-year old child, somebody must have hacked it, we are shutting that account off now, have a nice day".

    Three days later all customers of [multi-billion dollar company] got an urgent update that corrected the security flaw in [their product]. I never did post to bugtraq, because the point of the exercise was to get [multi-billion dollar company] to do what was best for both them and their customers, and that goal was achieved. I couldn't have made the threat, though, without the existence of anonymous full disclosure listservs.