« JavaScript bug hunting tool demonstrated, and ethical release of POC code | Main | Metasploit 3.0 released »

The bug disclosure debate continues

"Software makers are at the mercy of bug hunters when it comes to flaw disclosure, Mozilla's security chief said Saturday.

The software industry for years has pushed guidelines for vulnerability disclosure. Those "responsible disclosure" efforts have had some effect, but security researchers maintain control over the process, Mozilla security chief Window Snyder said in a panel discussion at the ShmooCon hacker event here.

"The researcher has all the power," Snyder said. "They control when they disclose it, and they control the idea whether or not the vendor responds in time." "


"Another frequent point of criticism is the time it takes for a fix to be released and for the researcher to get credit in a security alert.

"Vendors have a real responsibility to respond to what's reported to them," said Snyder, who previously worked at Microsoft.

But not everyone buys into responsible disclosure. It is a trap set by software makers, said panel member Dave Aitel, of security software firm Immunity. "Responsible disclosure is a marketing term," he said. "Responsible disclosure plays into the hands of Microsoft and other big vendors...they are trying to control the process."

Instead of disclosing a flaw to the vendor, Aitel wants bug hunters to sell vulnerability information to him. Immunity pays bug hunters for details on security vulnerabilities and uses those in his company's products, which include penetration-testing tools that can be used to break into computers and networks. " - ZDNET

I agree with Window, vuln finders do have all the power. I also agree with Dave Aitel in that vendors do want to control the process. Frankly if a researcher finds a flaw and reports it to the vendor first, the vendor should be kissing their ass for not going to the news first, or selling it to the blackhats. The vendor also should act as quickly as possible for their organization to roll out a fix to protect their customers as well as have a friendly relationship with the security researcher. If the vendor is unable to identify how to fix the problem internally they should consult a third party (the researcher if need be).

I also believe that certain vulnerabilities are worth a lot of money, however this entirely depends on your motives. If you are a researcher who only cares about the problem getting fixed, then only telling the vendor is required, assuming they address it within a reasonable amount of time. If the vendor blows you off or tries to hush you then by all means disclose. If you are are a researcher who wants to profit from their hard work and are considering selling it to a company like immunitysec, tippingpoint or idefense then by all means sell to the highest bidder. I however would strongly suggest that you do not try and sell it to the vendor who is affected by the issue, you will be sued and things will not go your way. If you are a person that profits from this vulnerability by protecting your customers from it (tippingpoint,immunitysec,idefense), then start reconsidering your pricing models and open your wallets. The researchers know you profit from it and are becoming aware that you need them. </rant>

Article Link: http://news.zdnet.com/2100-1009_22-6170219.html


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!