Slashdot Mirror


Why Responsible Vulnerability Disclosure Is Painful and Inefficient

A recent rant up at Attrition.org highlights problems with the responsible disclosure of security issues. While some vendors are happy to do their own research and patch reported problems, others drag their feet and make unreasonable demands on a researcher's time and effort, making anonymous public disclosure an ever-more-tempting option. Quoting: "After a couple hours of poking, I found a huge unauthenticated confidentiality hole. Once the euphoria wore off, I realized I had a big problem on my hands. I had to tell my employer's app owners and we had to assess risk and make a decision on what to do about it. After some quick meetings with stakeholders, we decided to severely limit access to the thing while we worked with the vendor. The vendor refused to acknowledge it was a security issue. Odd, considering most everyone who sees the issue unmistakably agrees that it is not acceptable. Now I'm forced to play hardball, yet nobody wants to fully-disclose and destroy relations with this vendor, whose software is somewhat relied on. Meanwhile, I know there are hundreds of institutions, small and large, using this software who have no idea that it has flawed security and who would probably not find the risk acceptable. What can I do? Nothing. Oh well, sucks to be them. ... I've had a vendor tell me to put a webapp firewall in front of their software. Did they offer to pay for it? No. That would be like Toyota telling its customers to buy ejector seats (unsubsidized ejector seats, that is) to resolve the accelerator problem in their vehicles. I've had other vendors demand I spend time helping them understand the issue, basically consulting for free for them. Have you ever knocked on a neighbor's door to tell them they left their headlights on? Did they then require you to cook them dinner? Exactly..."

8 of 182 comments (clear)

  1. I'd just like to report by 2.7182 · · Score: 5, Funny

    that there is an exploit that allows a user to bump their post up to first.

  2. wow by phantomfive · · Score: 4, Funny

    No. That would be like Toyota telling its customers to buy ejector seats (unsubsidized ejector seats, that is) to resolve the accelerator problem in their vehicles.

    Where can I sign the petition to make that happen?? O_O

    --
    Qxe4
    1. Re:wow by magus_melchior · · Score: 2, Funny

      You could ask M5 to mod your car.

      The roof mod is extra, though.

      --
      "We are Microsoft. You shall be assimilated. Competition is futile."
    2. Re:wow by __aasqbs9791 · · Score: 2, Funny

      If they amp the power enough, the roof mod will come free with the first use.

  3. did you post this in the wrong place? by YesIAmAScript · · Score: 2, Funny

    Or perhaps this is some kind of steganographic secret message you are passing onto one of your field agents?

    Your response has nothing at all to do with the situation here.

    --
    http://lkml.org/lkml/2005/8/20/95
  4. The real painful and inefficient thing? by wampus · · Score: 2, Funny

    That analogy. Stop it.

  5. company botnets by Anonymous Coward · · Score: 4, Funny

    the reason companies don't like people disclosing their security holes is not only do they have to release a fix, they also have to slip in a new hole and make sure most of their botnet successfully migrates to it. since there is a gradual uptake of patches and people tend to drag their feet installing a given patch botnet performance can be severely impacted reducing the marketability of it's services.

  6. Neighbours by lennier · · Score: 4, Funny

    "Have you ever knocked on a neighbor's door to tell them they left their headlights on? Did they then require you to cook them dinner? Exactly..."

    And after dinner, did they then require you to take them to a movie, a concert, some clubs and a night of passionate...

    Excuse me, I'm just going to go check all the car headlights in my street. Be right back.

    --
    You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC