Vulnerability disclosure policies [LWN.net]

By Jake Edge
July 7, 2010

Security vulnerability disclosure policy is contentious. Vendors typically argue for "responsible disclosure", while some in the security community think that "full disclosure" is the only way to fully protect the users of vulnerable software. There are other disclosure policies as well, but it is important to note that security researchers are under no obligation to disclose flaws that they find at all, which is something that all entities distributing software—vendors, projects, distributions, and so forth—should keep in mind. Anyone who finds a vulnerability and points it out is doing so as a favor, regardless of how the disclosure is done.

Full disclosure is the policy to immediately disclose the details of a vulnerability as soon as it is found. That may alert attackers to the flaw, but it also alerts users and allows them to make choices about mitigating the problem. It also puts enormous pressure on the maker of the software to produce a fix in a timely fashion.

Responsible disclosure, on the other hand, puts the choices largely in the hands of the vendor or project. The idea is to give the software maker some amount of time (usually on the order of weeks) to fix the problem and release a patch before any disclosure of the flaw is made. It is meant to be "responsible" to users, so that attackers don't get a leg up on the installed, vulnerable software before there is a fix available. But, responsible disclosure pre-supposes that attackers are not already aware of—and exploiting—the flaw.

There has also been a trend toward "partial disclosure" in the last few years. Typically practiced by those looking to make a name for themselves—and/or bring publicity to their research firm—partial disclosures are pretty much what they sound like: the announcement of the existence of a flaw with as few details as possible. But there is a fine, and difficult to draw, line between providing enough details to convince the security community that there is a flaw and not disclosing so much that others can figure out what that flaw is. Eventually, partial disclosures become some other kind of disclosure, either through the efforts of the original finder, or because other researchers were able to figure out the flaw from the clues.

Something of a new wrinkle in disclosure policy is zero (or no) disclosure—at least without payment. VUPEN Security has announced two vulnerabilities in Microsoft Office 2010 on its security blog, but is unwilling to disclose them to Microsoft until and unless the software giant ponies up for the information. The H quotes VUPEN CEO Chaouki Bekrar: "Why should security services providers give away for free information aimed at making paid-for software more secure?"

While there is nothing that requires security researchers to alert software makers to bugs in their code, it is a longstanding tradition to disclose those flaws. But security companies may now be more focused on mitigating any vulnerabilities they find for their customers, leaving the rest of the user community high and dry. At least until some deep-pocketed organization steps up and pays. While some in our community might be amused that Microsoft (and its users) are being treated this way, it may not be so funny if it starts happening to Linux or free software projects.

Microsoft is hardly blameless here. For years it treated security vulnerabilities as a public relations problem at worst. It has also had a rocky relationship with the security community, which has led to more than one exasperated disclosure of a "zero day" vulnerability. A recent privilege escalation in Vista and Server 2008 is just such a disclosure; researchers annoyed by criticism of Tavis Ormandy for the release of a Windows vulnerability formed the "Microsoft-Spurned Researcher Collective"—MSRC, just like the Microsoft Security Response Center—to anonymously make these kinds of zero day disclosures. It should be noted, though, that Microsoft is not alone; the Linux kernel community has also had a combative relationship with security researchers at times.

While there is little direct harm in security researchers keeping their knowledge of specific vulnerabilities to themselves, there is certainly the potential for harm with partial disclosures. This relatively new zero disclosure policy is, in reality, just a form of partial disclosure, and may provide attackers with just enough information to focus their efforts. If these researchers truly want to be paid for their efforts, they would be much better served by working with the established players in the vulnerability buying business (Tipping Point and others) or by approaching the affected vendor privately. For vulnerabilities in Linux and other free software, though, it's not particularly clear who would be willing to pick up the tab. We will just have to hope that, if that happens, any loud zero disclosure of a flaw like that provides enough clues for the "white hats" to track down the problem in short order.

(Log in to post comments)

Vulnerability disclosure policies

Posted Jul 8, 2010 12:25 UTC (Thu) by mpr22 (subscriber, #60784) [Link]

Uh, no, I wouldn't expect a finder's fee for returning someone's wallet (even though I wouldn't be particularly offended, upset, or surprised to find they'd returned it sans cash - it's not like I can prove it was them who removed it!), and I think any law enshrining an entitlement/requirement for such should be amended or repealed to remove it.

I'd cheerfully buy the person who returned it a drink if all the cash was still there, though.

Vulnerability disclosure policies

Posted Jul 8, 2010 13:44 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

Back in the days of film cameras, a keen photographer friend always kept a self-addressed and stamped envelope in his kit-bag, with a note asking anyone who had stolen the bag, to return the exposed films rather than throwing them away.

It worked.

Vulnerability disclosure policies - lost and found

Posted Jul 10, 2010 0:18 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

It is the law in California, and I suspect most of the U.S., that if you find someone's lost property, you must make an effort to return it to its owner, and you are not entitled to any reward.

This expresses some people's view of civility, but it also may prevent the recovery of some property, since someone can't make a business out of finding and returning property. The same could be said about reporting bugs. If we consider it a person's obligation to disclose a bug for free once he finds it, how much incentive does he have to look for bugs?

Vulnerability disclosure policies - lost and found

Posted Jul 13, 2010 12:10 UTC (Tue) by mpr22 (subscriber, #60784) [Link]

He gets to feel smarter than the author of the buggy code.

Vulnerability disclosure policies - lost and found

Posted Jul 13, 2010 14:20 UTC (Tue) by giraffedata (subscriber, #1954) [Link]

If we consider it a person's obligation to disclose a bug for free once he finds it, how much incentive does he have to look for bugs?
He gets to feel smarter than the author of the buggy code.

That's a good incentive for hobby-level bug investigation, but not enough to give up one's day job or hire a staff or give someone a research grant. I don't know much about the project in question here, but I have the impression that many of these bug hunters put more than recreational level effort into it.

Vulnerability disclosure policies - lost and found

Posted Jul 15, 2010 3:43 UTC (Thu) by jjs (guest, #10315) [Link]

Better code? People search for bugs because they're USING the software. They find bugs and report them so THEY get better software. It's capitalism at its finest - people doing things because of their own interest.

Look at how Apache came into being for an example.

Vulnerability disclosure policies

Posted Jul 8, 2010 13:38 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

The fair price is surely that the vendor of the software fixes the bug you report, promptly and without attempting to charge customers more for the benefit of the fix to what was a defective product in the first place?

With open software that's all but guaranteed. Even if the lead developers or maintainers won't fix it, the source is available so anyone else who cares can fork it and fix it. Anyway, in the absense of a direct profit motive, developers are motivated to maintain their reputation. The last thing they want is for that to be tarnished by not fixing security issues.

With proprietary? There are many cases of Microsoft and their like burying their heads in the sand for months or years until the bug is being exploited by vandals and criminals. There are also more than a few instances where the bug is fixed in the latest version only; no fix is made available to users of earlier versions who do not wish to pay to upgrade (or who may not wish to down, sorry up, -grade even if it were possible for free). In other words, the manufacturer is profiting by virtue of having sold a defective product in the first instance!

So my feeling is that zero disclosure is not unreasonable in the case of proprietary software. To put it crudely, screw them, because they are screwing you.

Vulnerability disclosure policies

Posted Jul 8, 2010 15:17 UTC (Thu) by foom (subscriber, #14868) [Link]

Must be a cultural thing. Here in the northeast USA, I've never heard of any such expectation.

I do have another expectation, though: that the wallet most likely won't be returned at all, or if it is, that 100% of the cash would have somehow gone missing by that time.

I guess if someone actually came to my door with my wallet, I might be sufficiently surprised and grateful that they made the effort of coming to me that I'd give them some of it. :)

Vulnerability disclosure policies

Posted Jul 17, 2010 8:39 UTC (Sat) by oak (guest, #2786) [Link]

> The trick is agreeing on a fair price. In the end you're paying for the information and the secrecy. So probably it should be a per day fee until the bug is fixed and a lump sum at the end.

How you could agree on the price without knowing the details about the issue e.g. is it even real?