Gallery

When is it right to go public with security flaws?

Posted on 27 Jul 2010 at 10:53

“It's just a different name for the same thing,” Sophos's senior technology consultant Graham Cluley told PC Pro.

“Some researchers who don't disclose vulnerabilities in co-ordination with the vendor have got their knickers in a twist that they're seen as irresponsible,” Cluley added. “Microsoft is fed up with the fight between the two sides of thought, and so is hoping to avoid any more debate by no longer using the word ‘responsible’ which implies everything else is irresponsible.”

It’s unclear whether Microsoft has more than terminonolgy discussions planned at Black Hat this year, or whether it will also look to find middle ground with a deadline promise.

Full disclosure

While full disclosure doesn't have the best reputation at the moment, it does more than pile pressure on vendors to fix flaws quickly.

F-Secure researcher Sean Sullivan notes that some vulnerabilities can be headed off by sharing the information. For example, when a security scam hits a social-networking site, the attack can spread quickly – but so can warnings against it. “It has its own immune system, in a way,” he noted.

However, it’s hard to ignore the 25,000 PCs infected by the Windows Support flaw between Ormandy publishing his exploit and Microsoft developing a patch.

Bug bounty

One way of encouraging researchers to share their flaw finds with vendors is by paying them. Several antivirus firms pay up to $10,000 for a vulnerability, while Mozilla and Google have increased their top bounties to around $3,000.

Microsoft, on the other hand, isn't keen on handing out rewards to bug hunters.“We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way,” said Jerry Bryant, group manager for security communications, at Microsoft. “Especially when across the researcher community the motivations aren’t always financial.”

Bryant noted that researchers are rewarded by being credited in Microsoft security bulletins, or by being offered contracts to test the fixes for the flaws they find. Microsoft might even bring the best talent in-house with job offers.

What next for disclosure?

Regardless of what Microsoft announces at BlackHat, there will always be disagreement about which is best: full disclosure or responsible disclosure.

“The security world is made up of many individuals - and they don't all agree,” said Cluley. “Some will side with Tavis Ormandy and his buddies at Google, and others are much more sympathetic to Microsoft's approach of co-ordinating with the vendor.”

“All I can say, is that from my experience most antivirus researchers feel very negatively about anyone who releases information that can help hackers exploit vulnerabilities before a patch is available,” he added. “On too many occasions details of a new vulnerability have been irresponsibly – yes, I'm going to use the word – publicised on the internet, giving hackers a blueprint to create malware that has impacted innocent users.”

Author: Nicole Kobie