Vulnerability Disclosures, Discussions and Days Gone By…
Good, rational discussions on vulnerability disclosure are few and far between. This is generally because:
a) it's less cool than actually doing vulnerability research;
b) it's got a long history (and therefore has many people with battle-scars);
c) it seems to attract almost religious fervor.
Discussing it is almost always confused with "picking a side" (which is generally a pretty good indication that people have abandoned reason on a topic).
This discussion popped up again recently, when @taviso and @dinodaizovi squared off over several OSX fontd sandbox escapes disclosed by the Google Project Zero team.
Although it slightly distracts from the topic, It's worth noting that in this case, the Google team only released info on the bugs after Apple had patched the specific bugs. Dino's argument was around the fact that the bugs pointed to a particularly vulnerable area of code, and that Project Zero had just painted a target on its back. (He used the fact that other fontd bugs showed up on PasteBin almost immediately after the Project Zero post as proof of this).
@dinodaizovi I know right, If it wasn't for blabbermouth researchers everybody would be 100% secure.
— Tavis Ormandy (@taviso) May 1, 2015
The discussion ran for a dozens of tweets, and like anything from Dino & Taviso, is worth reading. It can be read in its entirety here.
Although the discussion had contributions from lots of others, I have not included them all.. I have re-ordered some of the tweets to bundle distinct argument threads.
While both Tavis and Dino have obviously pondered disclosure (and its merits) for many moons, lots of the people who screamed tweets in between seemed blissfully unaware of the history of disclosure (or the history of the researchers in question). As stated earlier, we believe that history is part of the reason that people are so divided on this topic, which is why we believe that this timeline is worth the effort.
If you are planning on "picking a side" - heres a few points worth considering:
-
The discussion isn't new:
- As far back as the 19th century, we had Locksmiths trying to figure out how to reasonably disclose weaknesses in locks
- The Zardoz mail list back in 1989 struggled with the gap between sharing knowledge and knowledge falling into the wrong hands
-
The solution isn't simple:
- If a pair of infosec heavyweights like taviso and dino cant agree (with decades of positive contributions to the field) then its safe to say that your single tweet missive on it possibly lacks some depth.
We won't be able to resolve the disclosure question in a single post, but figure we can make a contribution by dropping some history and noting all of the arguments in one spot. So you can still pick a side and be opinionated, but at least with a more filled-in background ;>
- (bug-finders) We have seen that Vendors ignore researchers & resist making changes unless threatened with disclosure
- (vendors) We get 1000000 bug reports and simply rebuilding our software across all language-packs / distributions takes 4 days - We can't turn out a reliable patch in 30 minutes.
- (bug-finder) If i found the bug, someone else [possibly|probably] has too (and clearly isn't talking about it.) I should let everyone else know
- (human) we have seen people try to keep bugs shared in tight groups before (and we have often seen the bugs leak anyway)
- (human) you are disclosing the bug to get glory / marketing for your company
- (human) you are looking for bugs to make your competition / someone look bad
- (human) you SHOULD do XYZ with your bugs!
- (bug-finder) You spent your weekend/June painting. I spent mines bug-finding. I don't tell you what to do with your paint. You don't tell me what to do with my bugs.
- (bug-finder) This is a specialized service. The software vendor gets free QA. Why should i tell them anything?
- (vendor) Either you do it our way (which is responsible) or you do it your way.
- (vendor) you’re putting my customer’s at risk
- (vendor) you’re violating EULAs
- (vendor) you’re harming our reputation with over-hyped bugs
- (bug-finder) I didn't put the bug there, i just discovered it. If anyone is liable, its the vendor
- (human) You want to keep bugs silent because you want to profit by selling them
- (human) You want to keep bugs silent because you want to profit by selling them to evil governments who use them against dissidents
- (human) I don't ask you to work for free.. Don't ask me to work for free.
- (bug-finder) If a bug is released to everyone, everyone has the opportunity to fix it/take prophylactic measures
- (human) malware kits and exploit kits routinely use old exploits. Releasing exploits help those people attack the masses
- (bug-finder) i must work to find the bug, then work to report it YOUR WAY, then educate your team.. FOR A TSHIRT AND A SMILE.. Its easier to keep silent
- (human) it annoys me that Group-X claim to be Internet Saviours/Super Heroes.. They make bad calls too!
- (human) if you report a bug to a vendor, and don't tell the rest of us, a string of other parties also gain that information in the interim. We become vulnerable to all those people with no ability to mitigate the threat until we are informed.
- (human) most people can't use typical disclosure information without strong guidance from the vendor, so don't release information without this vendor guidance
- (human) you rushed to tell the world about the bug because you didn't want to be "beaten to it"
- (human) if you talk about a bug without releasing technical details, you deny me the ability to accurately assess my risk
- (bug-finder) reporting and chasing individual bugs is stupid. Only solutions that solve bug-classes are worth it
- (bug-seller) you are complaining about my 0day sales - people get owned with old-day
- (human) Bug moratoriums almost never work. I recall dozens of cases where moratoriums were in place, and the details leaked.
Finally, we figured this piece could end with a classic, he said, she said style, with references to old pieces on the same topic.
Elias Levy's 2001 article Full Disclosure is a necessary evil -
"In a perfect world, there would be no need for full disclosure. But we don't live in a perfect world, and full disclosure is a necessary evil."
vs.
Marcus Ranum's The Vulnerability Disclosure Game: Are We More Secure? -
"Those of you who are playing the disclosure game are just playing for your two minutes of fame: You're not making software better."
Thanks to some tireless work by @Thu_Duo, you can browse events germane to the Disclosure Debate here.
Thanks to Marco Slaviero, Azhar Desai, Ivan Arce, Dino Dai Zovi, theGrugq, Isaac Dawson & Steve Manzuik for contributions and corrections.