Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Up Ante For Disclosure Rules, Increases Bug Bounty

Posted by kdawson on from the responsibility-cuts-both-ways dept.

An anonymous reader writes "In a recent post by seven members of their security team, Google lashed out against the current standards of responsible disclosure, and implicitly backed the recent actions of Tavis Ormandy (who is listed as one of the authors). The company said it believed 60 days should be an 'upper bound' for fixing critical vulnerabilities, and asked to to be held to the same standard by external researchers. In another, nearly simultaneous post to the Chromium blog, Google also announced they are raising the security reward for Chrome vulnerabilities to $3133.7, apparently in response to Mozilla's recent action."

27 of 134 comments (clear)

  1. Elite by ceraphis · · Score: 5, Funny

    Google also announced they are raising the security reward for Chrome vulnerabilities to $3133.7

    That's quite the elite sum of money to use as a reward.

    1. Re:Elite by sarathmenon · · Score: 2, Insightful

      And also, it's contradictory to what google did earlier this year. They released a zero day for windows and gave microsoft hardly a week to patch it. And as a bonus, they made the disclosure public on a Sunday.

      I am all for more industry standard accountability, but this looks very one sided and google choosing to pick the instances where it gets a good publicity.

      --
      Microsoft: "You've got questions. We've got dancing paperclips."
    2. Re:Elite by Undead+Waffle · · Score: 4, Informative

      Looks like someone needs to RTFA.

      This article is basically laying out a policy Google will follow in the future. Here is the most critical bit:

      A lot of talented security researchers work at Google. These researchers discover many vulnerabilities in products from vendors across the board, and they share a detailed analysis of their findings with vendors to help them get started on patch development. We will be supportive of the following practices by our researchers:

      • Placing a disclosure deadline on any serious vulnerability they report, consistent with complexity of the fix. (For example, a design error needs more time to address than a simple memory corruption bug).
      • Responding to a missed disclosure deadline or refusal to address the problem by publishing an analysis of the vulnerability, along with any suggested workarounds.
      • Setting an aggressive disclosure deadline where there exists evidence that blackhats already have knowledge of a given bug.

      Now that "zero day" (well 5 days really) the Googler gave Microsoft was only because Microsoft would not commit to fixing it. That is perfectly consistent with the article, which points out "responsible disclosure" is a 2 way street and only works when the person with the vulnerability acts responsibly as well (which Microsoft didn't in this case). You could argue that he should have set a deadline regardless of whether Microsoft agreed to it, but I would not say they are contradicting themselves. They also point out in the article that responsible disclosure isn't always the best route. So I'm going to have to support Google in this article, which is simply about laying out their "supported" disclosure policy for their security researchers in the future.

    3. Re:Elite by bloodhawk · · Score: 2, Insightful

      Now that "zero day" (well 5 days really) the Googler gave Microsoft was only because Microsoft would not commit to fixing it. That is perfectly consistent with the article, which points out "responsible disclosure" is a 2 way street and only works when the person with the vulnerability acts responsibly as well (which Microsoft didn't in this case).

      that is twisting the truth more than a little. MS said they would get back to him with a timeline by the end of the week, he then went and published it anyway. the irresponsible party in that instance was definite Tavis Ormandy.

    4. Re:Elite by Bigjeff5 · · Score: 4, Interesting

      He actually gave his reasons for disclosure in the disclosure itself.

      Hcp vulnerabilities are a well known attack vector for Windows, and given that the specific vulnerability he found has existed in Windows XP for 9 years, he felt it was very likely that black hats had found the same technique and as such there was a very high likelihood that it was being actively exploited in the wild. I'm sure the ease with which it can be executed factored in as well - it's literally just a one-line hcp url with execution code in it. Therefore, he felt full disclosure so security professionals could begin mitigating the issue (i.e. disable help center) was more important than giving Microsoft ample time to fix the problem.

      Personally, I agree. Microsoft has a history of sitting on high-severity vulnerabilities for years if they aren't disclosed publicly, and this was an extremely easy to execute exploit. The prudent course here was to get the information out ASAP, with little more than a courtesy call to Microsoft before he did.

      --
      Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
    5. Re:Elite by taviso · · Score: 3, Insightful

      Actually, his comment was entirely accurate.

      I've reported dozens of critical vulnerabilities in Microsoft software over the years, and I still have multiple open cases with Microsoft security, this particular case wasn't as simple as you have assumed. I would not be so presumptuous to explain the ethics of your work to you, but evidently you believe you're qualified to lecture me in mine.

      If I were to read the sensationalised lay-press coverage of your latest publication or project, would it prepare me to write a critique of your
      work?

      --
      ex$$
  2. NERDS by Anonymous Coward · · Score: 3, Funny

    NERDS!

  3. I just found a bug... by bi$hop · · Score: 5, Funny

    Dear Google,

    I just found a bug in Gmail. We should talk.

    Sincerely,
    Chinese Hacker

    1. Re:I just found a bug... by cosm · · Score: 5, Insightful

      Dear Chinese Hacker,

      I just found a bug in your government. We should square up.

      Sincerely,
      Google

      --
      'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
    2. Re:I just found a bug... by Noodlenoggin · · Score: 2

      Dear Google, We would like for you to meet us in the 'Square'. All manner of issues have been squashed in the square and I am sure we can some to some kind or arrangement over this issue. Sincerly, Chinese government.

    3. Re:I just found a bug... by gmhowell · · Score: 2, Funny

      3000 yuan is a fairly significant amount of money in China.

      Karma be damned, but that's like bragging about being the skinniest kid at fat camp.

      --
      Jesus was all right but his disciples were thick and ordinary. -John Lennon
  4. This is good competition by JoshuaZ · · Score: 4, Insightful

    This is a sign of a truly competitive market. When Chrome and Mozilla are competing to the point where they need to bid on how much they pay for people to find flaws in their own software then there's serious competition. And the result is that we, the consumers, benefit the most. This is market dynamics with honest companies at their best.

  5. 60 days = upper bound, not average by Dwonis · · Score: 4, Insightful

    I'm sure a lot of people here will lament that 60 days is way too long to release a fix for most vulnerabilities, and I think that's true. On the other hand, it's probably a "reasonable upper bound" for very complex problems like the TLS session re-negotiation vulnerability, which required coordination between multiple vendors and the IETF in order to fix.

    In other words, if you think you should get a 60-day head start to fix a security bug, your bug had better be at least as complex as CVE-2009-3555.

    1. Re:60 days = upper bound, not average by fuzzyfuzzyfungus · · Score: 5, Insightful

      I think that your comment can be read on two levels:

      One. You are correct. Google is almost certainly taking advantage of the fact that browsers are substantially less complex(and people are comparatively tolerant of little rendering glitches, unless they scotch the whole page or "people" happen to be graphic designers...). It is a cynical; but very logical, tactic to talk most about the virtues you can cultivate most easily(though, conceivably, 60 days might actually be a much tighter limit for some of their server stuff, I don't know how hairy that can get).

      Two. If your product is too large, and too tightly coupled, to turn around a fix in two months you had better have a very compelling reason. Arguably, Microsoft's relatively tight coupling of an enormous number of pieces has been very good business; but not very good design. In the short term, Google's implicit dig is rather cynical. In the longer term, though, they are really scoring a point in a battle of architectural philosophies. Microsoft probably actually handles size, complexity, and tight inter-relation better than most(they'd be dead if they didn't); but the problems that it causes them are basically their fault. They made that mess, they deliberately coupled stuff for economic reasons that could have been decoupled for engineering ones....

    2. Re:60 days = upper bound, not average by Dwonis · · Score: 4, Insightful

      If your bug is so big that you can't fix it in 60 days, then you need to drop the secrecy anyway so that the rest of the world can help you fix it (or work around the fact that you can't).

      Remember that these bugs are things that shouldn't exist in the first place.

    3. Re:60 days = upper bound, not average by Anonymous Coward · · Score: 2, Insightful

      It is not taking them 60 days to make a patch because of product complexity, It is probably taking them only a few hours for the patch, however because of the huge ecosystem around windows they have to do a massive amount of regression testing to ensure they are not breaking anyones products, imagine how much adobe would scream if a security patch broke their products or how about apple for itunes and you can bet the stories wouldn't be "Apple itunes breaks because of poor Apple development practises", it would be "Microsoft intentionally breaks itunes, Apple requests anti monopoly investigation". Most of that time is spent regression testing on every flavour of the product in every language with all the most commonly used applications.

  6. Putting vulnerabilities in escrow? by martin-boundary · · Score: 4, Interesting

    Although it's great to have a company pledge responsible behaviour, the logical next step for the industry would be to put security vulnerability reports in escrow, with an automated time release. This could be as simple as having a CERT server distribute unique encryption keys, with each key being publically disclosed after a countdown from the time it is generated. A security researcher would encrypt each of their reports with such a key (a different one each time) and publish them on the web. Besides reducing the political squabbling between companies, this kind of system would also be great for priority disputes between researchers.

  7. 60 days is not 5 by TouchAndGo · · Score: 2, Insightful

    So google is defending the actions of an engineer who posted attack code on a Windows vulnerability 5 days after he reported it to Microsoft by saying that 60 days is more than enough time to fix a critical vulnerability...how exactly does that reasoning work?

    1. Re:60 days is not 5 by bunratty · · Score: 3, Insightful

      Google is saying that some companies *cough* Microsoft *cough* sit on security bugs for years until they're finally exploited, putting their users at risk. It's only by publicly disclosing the bug that these companies fix the problem.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    2. Re:60 days is not 5 by Anonymous Coward · · Score: 5, Informative

      Read the actual reporting on what happened. Tavis gave MS 60-days, but they refused to commit to any timeline. So, he went ahead and disclosed immediately, along with a fix for affected systems.

      It's also important to understand that Tavis has been reporting critical vulnerabilities to MS for years--and in some cases waited over a year for them to push a fix. This time he saw something trivial that should be fixed immediately and he put their feet to the fire. Oddly enough, they did push out their own fix in under 60 days after the vulnerability was made public. So you don't have to agree with his methods, but you should at least frame the situation correctly.

  8. Jeopardy! by jrivar59 · · Score: 3, Funny

    I can only conclude that this Jeopardy! winner now works for Google.

  9. Please read what actually happened by benjymouse · · Score: 4, Insightful
    1. Tavis Ormandy reported the bug to Microsoft on a Saturday and wanted Microsoft to commit to a 60 day timeframe.
    2. On Tuesday (a patch tuesday, mind you) Microsoft told mr. Ormandy that they would be able to present a plan the upcoming Friday - i.e. 3 days later and 6 days after the bug had been reported.
    3. Wednesday mr. Ormandy went public.

    Microsoft *never* refused to commit to a timeline. They didn't commit to a timeline within 3 days, so 4 days after reporting the bug mr.

    Ormandy went public. If he truly believed that 60days would be reasonable he could just have informed MS that he would go public exactly 60 days later. But no, Ormandy just needed an excuse to go public and show the world how much smarter than Microsoft he is.

    60 days may seem long, but it is actually very close to the current average for the largest software providers - not just Microsoft. Mozilla patches much faster but we have also seen several incidents where a Mozilla patch broke the browser and/or was ineffective. Consider the fallout if suddenly all French Windows XPs/Vista were unable to boot. MS needs to regression test each and every combination. Remember what happened when malware caused Windows XPs to not boot because and old DLL had been patched and addresses assumed by the malware had shifted?

    --
    Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
    1. Re:Please read what actually happened by Your.Master · · Score: 4, Interesting

      So publically disclose after 60 days like you said you would. Not after 5 days, like you said you wouldn't.

      "Yeah man, I knocked him out and stole his wallet. In my defense, he frequently undertips."

    2. Re:Please read what actually happened by bloodhawk · · Score: 3, Insightful

      Tavis gave MS a timeline and they said can't commit right this instant but we will get back to you by friday (pretty resonable considering it was a patch tuesday for them). Tavis then publishes on wednesday like a total douchebag. There is no way you can twist this that makes Tavis look like anything but a douche. The only possible way he could have looked less of a prick is if he waited till saturday and had no further response he could have published it, even then though it goes against what he claims is responsible disclosure.

    3. Re:Please read what actually happened by xous · · Score: 2, Insightful

      bah.

      It's not the security researchers responsibility to cover Microsoft's ass. Anything he gives them is a gift not a god damned right. If you want to blame someone for all the exploits blame the dumb ass that decided to couple html help shit with everything and allow it to execute binaries. Just fucking stupid.

      Sounds to me like Microsoft sat on it's ass for three days and then told him /we will get back to you on Friday/ which would piss me the fuck off too. You can't fucking figure out if you can commit to having this fixed within a 60 day time-line in three days? And to all the dumb fucks saying he should have released after the sixty days like he said: He wanted a sixty day commit in order to withhold the advisory. He didn't get one so he promised nothing.

  10. I don't get it by T+Murphy · · Score: 2, Insightful

    What does this "eleeto" mean? Is it some sort of slang term or something?

    --
    My webcomic
  11. Sleep? Weekends? by Anonymous Coward · · Score: 2, Interesting

    Microsoft OS and App vulnerabilities are the only internet currency better than eGold. If you travelled in those circles you'ld see how bad the situation is. I've been there and back, so I'll tell ya: it's bad. Bad. Really, really, really bad.

    If you'll pay $500, there's folks out there who will deliver the contents of your own email inbox unedited, for as far back as it goes, externally and without assistance. The most honest of them will sell you that info and let it go, but we all know there's a lot of account access information in your inbox - valuable information that could be worth more money elsewhere if you're in a responsible position.

    This market doesn't take weekends. It doesn't take coffee breaks. It doesn't go home at night. The Windows Vulnerability market is a Bazaar open 24/7, where admin access to any Windows machine can be had by any traveller with enough ready cash.