Vuln Disclosure Summarized
Wednesday, April 28, 2010 at 11:05PM I have an admittedly limited view of the exploit dev world. However, from what I've seen devs have very few options: (Please correct me if I'm wrong)
"Responsible Disclosure" =>
- Direct Contact => depending on the size of the vendor and their view on security, this could result in anything from a simple thanks, a reward, to a court hearing.
- Exploit Broker => possibly sell, possibly not, depends on the broker. The vuln could die on the table or stolen due to too much information being given during negotiations. This route has the same financial risk as direct contact, but a lot less risk of getting sued.
- ZDI (or other vuln clearing house) => "instant" cash, but admittedly less than an Exploit Broker could possible get based on the financial risk to ZDI. Close to zero risk of court time (they may come after you for selling the exploit). And a lot less financial risk since (IIRC) they pay up front. But then the vulns go to also undisclosed parties, potentially the highest bidder which is probably not the vendor.
- "other" secretive groups who share vulns for different reasons...
- Just to friends => No cash, no judicial risk, but you do risk them stealing/selling your exploit.
"Full Disclosure"
- Posting it to the web for all to see/user => Possible court time, but the definite upside is the vendor is forced to react. A very quick way to make enemies.
- Releasing at a conference => Probable court time.
"No Disclosure"
- Keeping it to yourself => Working under the assumption that your the only one that has found that same bug is still semi relevant due to the incredibly small size of the exploit dev community. However, as Dave said, they'll be toasting to their sleeping dead 0days some day.
"No More Free Bugs"
- My stance on this is split, while I think people should get paid for their work, I relate this movement to mowing someone's lawn and then ringing their doorbell and asking for money. However I'm sure Robert Graham's punch in the face metaphor also works.
//
Like, I have stated above, I am far and away a newbie to the vuln disclosure world and this debate has been going on since before I owned my own computer, but with the brilliant minds working at it, why doesn't anyone offer up a solid solution to it?
My solution? Create a standard, something that we all abide by. I know as hackers we rebel against such things but in the interest of getting better security out there (yes, that's what we are here for right?.... right?) we should should really work together on this. What sounds right?
I mean, what is the right way to approach someone who's lawn you've mowed for the work you have done? Maybe free for open source projects, and a price based on exploitability and market share of the affected product?
For reference:
Vuln Trading Markets and You by Michal Zalewski (lcamtuf):
=> http://lcamtuf.blogspot.com/2010/04/vulnerability-trading-markets-and-you.html
Vuln Disclosure is Rude by Robert Graham:
=> http://erratasec.blogspot.com/2010/04/vuln-disclosure-is-rude.html
No More Free Bugs movement by Charlie Miller, Alex Sotirov and Dino Dai Zovi:
=> http://trailofbits.com/2009/03/22/no-more-free-bugs/
Dailydave Post by Dave Aitel:
=> http://lists.immunitysec.com/pipermail/dailydave/2010-April/006100.html
--
Rob Fuller | Mubix
culture
Reader Comments (2)
"Coming up with a standard" is what the whole "responsible" disclosure movement created by Microsoft and a handful of other vendors is all about. It's also what RFPolicy was about. The problem is that no one can agree on what should be "standard", and have drastically different views on what that standard should be, how you define "responsible" and what responsibility entails, etc.
I think it is useful to also include the "public" vs "private" parts of disclosure, especially inside the "responsible disclosure" category. For instance, you report a vuln responsibly, but you never get public credit for it and the vendor never announces it to the public, while possibly stifling you with an NDA. Or you report a vuln, they accept and patch and announce it, and you get to announce details shortly after the patch is released.
Yeah, I've seen this come up previously, and a standard way of doing it has been attempted, but unfortunately no one agrees on the best way. Namely, researchers can't get agreement with enough vendors to make it standard. Every vendor wants to do it their way, and honestly if they get their way, nothing would ever truly be divulged.
If you mowed my lawn and I didn't know it until you were done and you asked for any sort of payment or compensation, I would probably say no, simply on principle. Not because I'm an ass, necessarily, but just on the principle that we didn't enter into any sort of contract, understood or explicit, for you to do work for me. (I'm ignoring that you're trepassing, because that starts to break down the point of using an analogy like that.) As a human, I'd probably compensate you in some fashion or just be neighborly in return when I shovel your snow next month, but on principle, I don't actually owe you anything.
All that said, I agree that "responsible" disclosure should be an achievable goal, but the realistic side of me doesn't think that will ever happen. Therefore I end up defaulting over to the side of full disclosure, i.e. tell the world and let the vendor react. As a consumer, admin, and security-conscious person, I'd rather have the knowledge out there, than have it stifled and hidden.
Besides, while I think monetary compensation is something we all could use, simple recognition does still go a long way. I know when I routinely see a particular name attached to vulns, I get the feeling that guy knows his sh!t. (Speaking of, that reminds me of a few missing names these days on the FD lists who used to post vulns almost daily...!)