Slashdot Mirror


Why Responsible Vulnerability Disclosure Is Painful and Inefficient

A recent rant up at Attrition.org highlights problems with the responsible disclosure of security issues. While some vendors are happy to do their own research and patch reported problems, others drag their feet and make unreasonable demands on a researcher's time and effort, making anonymous public disclosure an ever-more-tempting option. Quoting: "After a couple hours of poking, I found a huge unauthenticated confidentiality hole. Once the euphoria wore off, I realized I had a big problem on my hands. I had to tell my employer's app owners and we had to assess risk and make a decision on what to do about it. After some quick meetings with stakeholders, we decided to severely limit access to the thing while we worked with the vendor. The vendor refused to acknowledge it was a security issue. Odd, considering most everyone who sees the issue unmistakably agrees that it is not acceptable. Now I'm forced to play hardball, yet nobody wants to fully-disclose and destroy relations with this vendor, whose software is somewhat relied on. Meanwhile, I know there are hundreds of institutions, small and large, using this software who have no idea that it has flawed security and who would probably not find the risk acceptable. What can I do? Nothing. Oh well, sucks to be them. ... I've had a vendor tell me to put a webapp firewall in front of their software. Did they offer to pay for it? No. That would be like Toyota telling its customers to buy ejector seats (unsubsidized ejector seats, that is) to resolve the accelerator problem in their vehicles. I've had other vendors demand I spend time helping them understand the issue, basically consulting for free for them. Have you ever knocked on a neighbor's door to tell them they left their headlights on? Did they then require you to cook them dinner? Exactly..."

2 of 182 comments (clear)

  1. Did they then require you to cook them dinner? by Anonymous Coward · · Score: -1, Offtopic

    "Have you ever knocked on a neighbor's door to tell them they left their headlights on? Did they then require you to cook them dinner?"

    Yeah... my buxom neighbour has her "headlights" on all the time. I proceeded to knock on her door to ask for a date, and she indeed required me to provision a dinner.

  2. This is modern "Capitalism" by Artifakt · · Score: -1, Offtopic

    A frightening portion of people with good paying jobs got there by getting less well paid people to know more and do more for free, and think it always works. The same goes for the investors at the top. They are the same crowd that demands the government step in and help them keep their positions, and yet tithes regularly to various think tanks and pundits that preach the virtues of 'unfettered capitalism'. Anything approaching a free market would result in them being kicked into the gutters, often literally.
          I'm not sure why this counts as news for nerds, without at least revealing the oh-so-useful details of what vendor and software we are discussing. The type of abuse of business partners, governments and the public at large as described happens just about equally in non-tech areas. It does much more damage than this vulnerability has even the slightest potential to do in areas such as the chemical industries. (To avoid being as unspecific as the writer, I'll suggest anyone who wants to can google for "Canton" or "Little Pidgeon River" plus "Papermill" for just one example).

    --
    Who is John Cabal?