History of Vulnerability Disclosure
.jpg)
00. 1853
Locksmiths
The Rudimentary Treatise on the Construction of Locks was penned by locksmith Alfred C. Hobbes, shedding light on early lock construction. He acknowledged the rising debate over discussing the security/insecurity of locks, arguing for disclosure in the name of innovation:
In respect to lock-making, there can scarcely be such a thing as dishonesty of intention: the inventor produces a lock which he honestly thinks will possess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open to them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention.
This would earmark the beginnings of the debate on revealing the insecurities of security solutions for the sake of improving security.
Source: Hobbes, A.C. (1853). Rudimentary Treatise on the Construction of Locks. London, England: Levey, Robson and Franklyn.
01. 1988
Morris Worm
A freshman computer science graduate student at Cornell, Robert Morris, created and released a worm from MIT that infected several thousand computers which became known as the first major virus to gain mainstream attention. It exploited several known vulnerabilities and weak passwords (via a dictionary attack).
He was the first to be convicted under the Computer Fraud and Abuse Act of 1986, and was sentenced to three years’ probation and a fine.
This incident is an early example of a form of public exploit disclosure - the attempts to propagate the worm in the wild is one way to bring attention to the fact that many vulnerabilities exist.
02. 1989
Zardoz
Zardoz (formal name: Security Digest) was an exclusive worldwide security mailing list in which the infosec industry discussed newly discovered bugs. Paranoid white hats would only hint at new bugs, with little explanation.
Debate ensued: some argued that Zardoz was only helpful if everyone posted detailed explanations on how to exploit a certain security hole. Others still argued that Zardoz could fall into the wrong hands, allowing anyone to take advantage of the exploit instructions. Zardoz’s last issue on record was in 1991.
Source: Dreyfus, S. and Assange, J. (1997). Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier. Reed Books Australia.
03. 1999
Nomad Mobile Research Center Disclosure Policy
NRMC formalized a bug disclosure policy stating they would first work to verify the problem, then contact the vendor with technical details to reproduce the problem.
They would give a vendor a month’s notice before they went public, if it’s a very high priority problem. Otherwise, vendors are given a week to respond.
Common Vulnerabilities and Exposures (CVE)
The MITRE Corporation, a non-profit providing technical support to the government, developed a reference system to integrate and manage vulnerability information from different sources into a centralized database.
Initially conceived as a Common Vulnerability Enumeration, the authors intended to standardize vulnerability information that would:
- Enumerates and discriminates between all known vulnerabilities
- Assigns a standard and unique name to each vulnerability (for consistency)
- Exists independently of the different perspectives of what a vulnerability is
- Is publicly open and shareable without distribution restrictions
04. 2000
RFPolicy
Originally created by ‘rain forest puppy’ and posted to the Bugtraq mailing list, the RFPolicy was written to help establish guidelines for disclosure.
Version 2.0 states that vendors and software maintainers have five working days to return contact to the person that reported a bug to them. Failure to contact them encourages the person to publicly disclose the security problem. The policy doesn’t require that software vendors come up with a fix in the time period, but only that they establish communication after five days and keep in contact with them.
This was prompted due to many responses from vendors such as "we were never given a chance," or "there is an 'unwritten' standard of notifying the vendor X days ahead of time," etc.
Marcus Ranum Black Hat Talk (Script Kiddiez Suck)
Security researcher Marcus Ranum gave a talk at Black Hat, Script Kiddiez Suck, arguing for infosec professionals to keep security vulnerabilities secret, as well as to stop creating tools that exploit the vulnerabilities.
Ranum argued for the need to reduce script kiddies in order for the industry to get perspective on the real threats. Likening hacking to “amateur terrorism,” he advocated reducing the gray area between white hats (ethical hackers) and black hats (malicious hackers) as a counter-terrorist model.
His talk raised some questions about the practice of full disclosure, including how are vendors responding? And, are users capable of protecting themselves?
Automatic Software Updates
Now more and more companies are turning to automatic updates to software, allowing them to patch for bugs faster and reach more users; shifting the onus of software maintenance off of the consumer and to the vendor.
Windows introduced automatic updates in their Windows Millennium Edition (ME) that checks for security and critical updates once a day, which users must turn on. Google Chrome automatically updates by default, checking for security updates every five hours.
This is a game-changer for the disclosure debate that questions how long will it be before people can be protected against new vulnerabilities.
NTBugtraq
The NTBugtraq mailing list was created for public discussion of security exploits or bugs in Microsoft products and third-party products that run on Microsoft OS systems. In 2000, it was sold to ICSA.net, a security division of Verizon.
05. 2001
The Dmitry Sklyarov Affair
Russian programmer, Dmitry Sklyarov, was arrested and prosecuted under the Digital Millennium Copyright Act (DMCA). Sklyarov, working for ElcomSoft, developed and marketed software that decrypts Adobe’s eBook DRM (Digital Rights Management), the technology that protects against the unauthorized copying of the eBook format.
Skylavrov was arrested by the FBI while he was attending DEF CON and held without bail. However, mailing lists and websites organized protests, calling for his release, arguing that the software was created legally in Russia.
This incident also demonstrates and raises questions about the prosecution of security researchers that publish software security bypasses, and find weaknesses in encryption.
Code Red
Code Red was a self-replicating/spreading computer worm that attacked Microsoft servers, spreading rapidly around the world - in less than 14 hours, 359,104 hosts were compromised, according to CAIDA.org.
Security researchers Ryan Permeh and Marc Maiffret of eEye Digital Security named the worm Code Red, in honor of their Code Red Mountain Dew-fueled night of disassembling and analyzing the worm. This would mark the prelude to the bug-naming hype that would soon follow throughout the industry.
Nimda
The Nimda worm, dubbed one of the worst bugs in history, affected systems running various versions of Microsoft Windows and spread rapidly via email, browsers and networks. Antivirus researchers named the virus Nimda, which is ‘admin’ backwards - a nod to the worm’s creation of an admin account and placement of an Admin file on infected computers. This also marked the beginning of code-name hype.
Antisecurity.is
Anti.security.is is the website supporting the movement to stop the disclosure of all unknown or non-public exploits and vulnerabilities in order to prevent script kiddies from using the methods to compromise systems. It argued against full disclosure, claiming “a digital holocaust” occurs each time an exploit appears on Bugtraq, the vulnerability mailing list.
They also claim that security companies profit from the “infosec war,” as they use scare tactics to motivate buyers into buying their security products.
06. 2002
Full Disclosure
Full disclosure refers to publishing information about security vulnerabilities publicly, informing everyone as soon as possible - a concept many people that posted to Bugtraq and Zardoz believed in.
Out of that concept, a new mailing list was born - the Full Disclosure mailing list is a public, vendor-neutral forum to discuss vulnerabilities and exploit techniques, as well as news and events of interest to the infosec community. The list was originally created by Len Rose, handed off to John Cartwright and then restarted by Gordon Lyon on Insecure.org.
Slammer
The SQL slammer worm caused a denial of service on some Internet hosts and slowed down traffic, spreading rapidly and infecting 75,000 users in minutes. But where did it come from?
In 2002, security researcher David Litchfield of NGSSoftware presented at Black Hat in Las Vegas on an SQL server exploit, demoing proof of concept code. Later, he realized that his code may have been used by malicious hackers as a template for the Slammer worm.
This prompted him to question the benefit of publishing sample code, stating that perhaps there were some cases in which the bad outweighs the good.
Open Source Vulnerability DataBase (OSVDB)
The OSVDB was founded at the infosec conferences, Black Hat and DEF CON, created to provide an accurate, detailed and unbiased technical information about all types of vulnerabilities.
The OSVDB was opened for public use in 2004, and a nonprofit was created to support the database, the Open Security Foundation. As a vendor-neutral vulnerability database, information sources include security mailing lists, exploit aggregation sites, vendor websites and more - once validated, it is reviewed by project moderators for inclusion.
07. 2005
Mike Lynn: CiscoGate
Security researcher Mike Lynn presented The Holy Grail: Cisco IOS Shellcode and Remote Execution at the infosec conference Black Hat, detailing how to run attack code on Cisco’s OS by exploiting an iOS security flaw, allowing attackers to gain control of Cisco routers. Shortly before the presentation, Lynn quit his job at Internet Security Systems (ISS).
Cisco went to great lengths to censor Lynn’s presentation - cutting his slides out of the presentation materials and seizing CDs containing his research. Legal action was later taken against Lynn and Black Hat, as Cisco claimed Lynn had disclosed trade secrets.
The incident raised the question of vendors’ roles in censorship, as Bruce Schneier directly addressed in Cisco Harasses Security Researcher:
The security implications of this are enormous. If companies have the power to censor information about their products they don't like, then we as consumers have less information with which to make intelligent buying decisions. If companies have the power to squelch vulnerability information about their products, then there's no incentive for them to improve security… If free speech is subordinate to corporate demands, then we are all much less safe.
08. 2006
Bugtraq / SecurityFocus
The Bugtraq mailing list was handed over to David McKinney at SecurityFocus (Symantec), making him the primary moderator in 2006. In 2002, SecurityFocus was acquired by Symantec, which put the mailing list into the hands of a security vendor.
09. 2007
Pwn2Own
Pwn2Own is a computer hacking contest held each year at CanSecWest that challenges participants to exploit devices with new vulnerabilities. The winners get to own the device they ‘pwn,’ as well as a cash prize.
The first Pwn2Own contest in 2007 focused on testing the security of Apple’s Mac OS X operating system running on MacBook Pro laptops.
WabiSabi Labi
WabiSabi Labi Ltd. created an online marketplace for software vulnerabilities, allowing security researchers to submit unknown software vulnerabilities also known as zero-days.
Qualified buyers can subsequently bid on the zero-days and buy them with an exclusivity option that prevents them from being sold to anyone else, or allows them to be sold to multiple buyers.
The marketplace is built on the premise that ethical disclosure is unfair since researchers are not compensated for the work they do, creating a way for researchers to get paid a fair market rate for the zero-days they discover.
Charlie Miller / 0-Day Exploit Sales Paper
Security researcher Charlie Miller published a paper, The Legitimate Vulnerability Market: Inside the Secretive World of 0-Day Exploit Sales arguing that security researchers should be legally compensated for their exploit research.
His paper detailed the early days of attempts to sell zero-days, and the problems he ran into: the time-sensitive nature of selling zero-days, lack of pricing transparency, difficulty finding buyers and sellers, validating the buyer, exclusive rights and more.
Miller was able to negotiate a sale for $50,000 for a common Linux daemon, which he wasn’t sure was fair market price. He told another story of an acquaintance that resulted in a spoiled sale, as the company had patched the vulnerability in the time it took them to negotiate pricing.
iPhone Jailbreak Exploits for Sale
Jailbreaking gives a user root access to the iOS platform, allowing them to install apps that aren’t vetted by Apple and to mess with the OS. And these jailbreaks need exploits to leverage.
The early jailbreaks used publicly released bugs. When the first iPhone was released in 2007, Google Security Researcher Tavis Ormandy found that the version of Libtiff (TIFF image processor) had a known vulnerability that allowed a malicious website to get remote root access to the device, just by surfing the site.
But as jailbreaks became harder, the bugs backing them became more expensive, and disclosing them became less common. In 2012, the Grugq spoke to Forbes, revealing how he would broker zero-day exploits between researchers and government agencies - iOS exploits came with a price tag of $100k to $250k, much pricier than exploits for other apps.
The going rates kept going up - in 2013, a leaked audio recording revealed that George Hotz (geohot) attempted to sell his iOS 7 jailbreak exploits for $350k. That sale never happened, as another team rushed to sell the jailbreak - the Evad3rs released an iOS 7 jailbreak that installed the Chinese app store, TaiG by default on iPhones. The jailbreak was said to have sold for one million to the Chinese company. Controversy arose as pirated apps were found in the app store.
Source: Miller, C.; Blazakis, D.; Dai Zovi, D.; Esser, S.; Iozzo, V.; Weinmann, R.P. (2012). iOS Hacker’s Handbook. Indianapolis, IN: John Wiley & Sons, Inc.
010. 2008
Kaminsky Disclosure Policy
Security Researcher Dan Kaminsky had discovered a major flaw in the Domain Name System (DNS) protocol (also known as Berkeley Internet Name Domain, BIND) which allowed attackers to conduct a cache poisoning attack and redirect traffic to malicious hosts.
Kaminksy disclosed the breach to the DNS community and an emergency summit of only 16 people was convened at Microsoft’s headquarters. He secretly worked with DNS vendors to develop a fix, and on July 8, 2008, different vendors simultaneously released patches of their products for this bug. However, just 13 days after discovery, details of the bug were leaked on a blog.
Kaminksy presented his findings at the 2008 Black Hat infosec conference. While some in the security community criticized him for not immediately disclosing the bug, others thought he disclosed responsibly while working with vendors to find a fix.
MTBA Subway Ticket Hack Dispute
Three MIT students were stopped from presenting their transportation security research at the 2008 DEF CON infosec conference. They had planned to reveal how to reprogram the Massachusetts Bay Transportation Authority (MTBA)’s subway ticket to contain over $600 with the use of a magnetic stripe writer.
They were hit with a restraining order days before DEF CON, despite meeting with MBTA representatives weeks before to discuss the vulnerabilities that they didn’t intend to disclose publicly. Ironically enough, the presentation slides and vulnerability assessment report was leaked online, as the MBTA had included them in their formal complaint.
However, there is dispute over whether the students had practiced responsible disclosure, as they attempted to communicate with the MBTA only about two weeks prior to DEF CON. Traditionally, researchers give at least a month after notification before disclosing a vulnerability in a software system, while more time is given for hardware-related vulnerabilities.
Conversely, others in the security community argued that the MBTA could have asked for more time to fix the problem instead of suing the students.
011. 2009
No More Free Bugs
A new meme emerged, touted by Alex Sotirov, Dino Dai Zovi and Charlie Miller at the infosec conference, CanSecWest: "No More Free Bugs" signified the end of software makers benefiting off of the free work done by security researchers that spend days or weeks looking for security vulnerabilities that affect vendors’ products.
Branching out from the disclosure debate, this philosophy argued that vulnerabilities have legitimate value, and researchers take on a great deal of risk in disclosing them. This would start a discussion on bug bounty programs in which vendors would compensate researchers for bugs found in their products.
TLS Authentication Gap Bug
Discovered by Marsh Ray and Steve Dispensa of PhoneFactor with involvement by Steve Manzuik, the TLS authentication gap bug allowed a man-in-the-middle attacker to inject plaintext into encrypted, secure communications channel.
The bug was initially kept quiet while they alerted various TLS developers and vendors, including Google and Mozilla, in order to find a fix, dubbed Project Mogul. However, the bug was disclosed publicly on the Internet Engineering Task Force (IETF) TLS mailing list by Martin Rex of SAP.
As a result, a working exploit emerged days after the bug was disclosed that attacked the Twitter API. A new SSL protocol replaced the insecure version in 2010.
012. 2010
Weev / AT&T
Andrew “Weev” Auernheimer and Daniel Spitler discovered a security hole in AT&T’s website that allowed anyone to get the email address and ICC-ID of iPad users. They wrote a script that harvested the email addresses of 120,000 iPad users, including many government officials.
After they provided proof and sent the vulnerability to many media outlets, AT&T brought charges against the pair, alleging they violated the Computer Fraud and Abuse Act (CFAA).
Weev was sentenced to three and a half years in prison, which was ultimately overturned after an appeal, based on a technicality on the error of venue.
Microsoft’s Coordinated Vulnerability Disclosure (CVD)
Microsoft outlined their own policy, Coordinated Vulnerability Disclosure (CVD), for engaging with researchers, favoring responsible disclosure over full disclosure. Responsible disclosure dictates that the vulnerability is reported privately to the vendor and no one else until the vendor issues a patch.
CVD is Microsoft’s term for ‘responsible disclosure,’ without the subjective term, ‘responsible.’ CVD still favors reporting issues to vendors privately and working out a plan for a fix. If vendors aren’t responding, then security advisories with limited details should be published. CVD also favors coordinated public disclosure that coincides with the vendor update release.
013. 2012
Pwn2Own New Rules
The new rules of the contest required on-the-spot writing of exploits, as well as the elimination of ‘random draw’ which allowed security researchers to present their exploits in random order by the luck of the draw.
Security researcher Charlie Miller spoke out against the new structure, claiming that on-the-spot exploit writing turned the competition into more of a capture-the-flag format that rewarded larger teams, benefiting full-time researchers.
There was also controversy over how exploits would be shared with affected vendors, which led to Google’s sponsorship withdrawal after they learned that participants were allowed to enter the contest without initially disclosing vulnerabilities to vendors. Google subsequently launched its own Pwnium contest with cash prizes for researchers that exploited the Chrome browser.
MAPP leak
The Microsoft Active Protections Program (MAPP) is a program for security software providers that gives them early access to vulnerability information, allowing them to provide updates and patches to customers faster.
In 2012, a proof-of-concept code for a serious Windows security hole was leaked and published on a Chinese-language forum, allowing hackers to launch remote code execution attacks against Microsoft’s RDP protocol, which affected nearly five million machines.
This gave outsiders advanced notice of the code and vulnerability before a Microsoft patch was released, defeating the purpose of the program.
014. 2013
0-Day Brokers
Zero-day brokerage services emerged as a way to connect government and corporate buyers with security researchers and hackers - while taking a cut of the profits (typically 15 percent). Once convicted of hacking-related crimes in 1999, security consultant Kevin Mitnick launched a Zero-Day Exploit Exchange service that offers buyer privacy and timely, secure payment.
But selling exploits to government agencies is not without ethical or political controversy. Foreign governments that buy zero-days may be using them against the countries or opponents as part of an espionage or otherwise malicious attack. Plus, the black market allows for the sale of exploits, often bought with criminal intent.
015. 2014
Microsoft ISO for Vulnerability Disclosure
Microsoft worked on an ISO (International Organization for Standardization)/IEC (the International Electrotechnical Commission) guideline for the disclosure of potential vulnerabilities in vendor products.
The ISO/IEC 29147:2014 guidelines provide direction for vendors on:
- How to receive information about potential vulnerabilities
- How to disseminate resolution information
- The information items that should be produced through implementation of the vendor’s disclosure process
The ISO also provides examples of content that should be included in the information items.
Heartbleed
In April 2014, the Heartbleed Bug emerged as a serious vulnerability in the OpenSSL cryptographic software library.
The bug allowed anyone to read the memory of systems protected by vulnerable versions of OpenSSL. Since SSL/TLS encryption protects Internet apps, privacy, web, email, instant messaging and VPNs, this was a very serious bug.
The bug was named after the OpenSSL’s implementation of the TLS/DTLS heartbeat extension - when exploited, it leaks memory from the server to the client, and from the client to the server. The name, logo and severity of the bug helped propel it into mainstream media.
Shellshock
In September 2014, a series of security bugs affecting networks and websites relying on Unix and Linux were reported, named Shellshock - this allowed an attacker to execute arbitrary commands via vulnerable versions of Unix Bash shell.
Similar to Heartbleed, this bug was widespread and extremely critical - but more so than Heartbleed, since Shellshock allowed attackers to take control of vulnerable systems. It also had a catchy name and was covered by mainstream media.
Google Project Zero
Previously, it was mostly security companies that had small teams dedicated to finding bugs, such as IBM’s X-Force and Bindview’s RAZOR team. But now a major search engine tech giant has joined the hunt - Google created a team known as Project Zero comprised of top Google security researchers working full-time to identify zero-day vulnerabilities in not only Google software, but any software.
One case for controversy was in early 2015, when Google released details on a Window security flaw just two days before Microsoft planned to issue a patch to address the issue.The bug allowed low-level users to become administrators by escalating their access to sensitive functions.
The bug was disclosed by Google’s security research team, Project Zero that discloses vulnerabilities publicly after giving companies a 90-day deadline to fix problems.
As a result, Microsoft proposed Coordinated Vulnerability Disclosure (CVD), which allows companies to issue fixes before flaws become public knowledge, and asks researchers to keep vulnerabilities private until a fix is available. Google argued that they had found and disclosed three different vulnerabilities, per their disclosure policy, before Microsoft could issue a patch.
Dan Geer’s Black Hat Keynote: Cybersecurity As RealPolitik
Dan Geer, CISO of In-Q-Tel, a nonprofit that supports the Central Intelligence Agency (CIA), gave a keynote speech at Black Hat 2014 that included 10 security policy proposals to regulate and improve upon the infosec industry.
One of his proposals suggested that the U.S. government should openly corner the world vulnerability market by buying all of them (being the highest bidder) and making them public. This is based off of the idea that vulnerabilities are sparse, not dense, and that it would be advantageous to corner the market.
He suggests that by overpaying we would enlarge the talent pool of vulnerability finders, and by making every single vulnerability purchased public, we devalue them. He argues that we don’t need intelligence on our adversaries weapons if we have a comprehensive inventory of the world’s vulnerabilities, and shared them with software vendors.
016. 2015
BACKRONYM
Security researcher Adam Goodman of Duo Security reported a security bug, BACKRONYM (Bad Authentication Causes Kritical Risk Over Networks Yikes MySQL) that affected MySQL. Along with a few members of the Duo Security DevOps team, Goodman found that MySQL clients were vulnerable to Man-in-the-Middle attacks.
The website pokes fun at the commodification of vulnerabilities:
A new and serious vulnerability has been identified in a popular software library. How do we know it's serious? Because the vulnerability has a clever name, sweet logo, and as much hype as we can generate from a single web page.