Responsible Disclosure Debates……What about No Disclosure?
This topic has been hot again in recent times and we’ve been asked a few times on what our position to this is. In the past, and with our previous relationships, we’ve been in the “responsible disclosure” camp. Advisories went out after the vendors had announced patches to the vulnerabilities announced, (and in some cases exploits developed in parallel to confirm the proof of concept). It seems the camps are divided in two as described here but is the third option of no-disclosure outside of vendor/client a major consideration that hasn’t had much discussion (relatively)? What percentage of vulns in systems and applications are never disclosed? Why isn’t this seen as potentially a major part of how vulns are dealt with? How skewed are figures in yearly stats and surveys due to this area, (and I don’t mean sales of vulns to organisations who buy them - I mean those vulns discovered in vendor systems and applications and those detected in personal engagements for clients for home grown systems and applications)?
This is probably a position Securus Global adopts more than others - with each case determined on a case by case basis. I know the percentage rate of what we find compared to that “responsibly disclosed” and then post or about to post as a world-wide advisory is hugely lop-sided. While we are waiting on a few vendors at present, there’s probably 10 fold more that we work directly to fix with vendors and applications that will never see the light of day. Is that the better alternative? Keen on your thoughts……
It depends on your philosophy and thoughts on what is right and wrong, relationships with vendors and most importantly, relationships with clients whose systems may have just as significant issues as those “major” and largely deployed systems and applications. Case by case basis?
Is one seen as a successful IT security researcher (or genius in our field) because they publish everything? Are those guys who never publicly disclose to be discounted or not considered as the upper echelons of the research community themselves because they don’t publish, but rather work to quietly fix what can be fixed to minimise impact to the wider community - most importantly, clients and the business servicing those clients?
It’s a bit of a catch 22 - you disclose and you become famous. You work quietly in the background and you remain a no-name but who’s adding most value to the goals of the industry?
Is the tide just going to be too strong towards selling of vulns…with few left who aren’t making good dollars having no choice but to head down that path? Seems to be heading that way sadly. Has the argument by either taking one of two positions and not a third seriously considered meant that we set a future that could have been different?
In a way, it comes down to your own thoughts on what you think is right, what you personally want to achieve as an individual and importantly also, how parties you deal with react to what you do. Am I overly simplifying this? Am I being too naive? Has the horse bolted now? Am I just plain wrong to think we’ve had a third option that could/could have worked?
July 27th, 2008 at 6:55 pm
The whole “what don’t you know” thing is obviously very hard to quatify.
From my personal experiance most vulnerabilities are never disclosed, but that is biased by my line of work. There are many who use one peice of 0day for each attack once. The more it is used, the less it is worth - for obvious reasons. You can make your own conclusions as to the driver / ethics of this, as that is a whole new kettle of fish.
July 28th, 2008 at 8:24 am
The post is very much a hypothetical but focused on my perceptions of the industry. Case by case basis for what should be done will always be key..there won’t be one scenario to fit all but ethical questions dominate. We’ve set precedents but when are they followed? Market forces?
Thanks to Donal for this one. Interesting post and debate here (in followup comments to the post):
http://techbuddha.wordpress.com/2008/07/24/the-art-of-security-and-why-security-vendors-are-the-root-of-all-internet-evil/
DD
July 28th, 2008 at 11:38 am
Another perspective..
An ethicist might argue that the mob that ‘publishes’ their research - gaining fame & fortune on the world speaker circuit - is potentially in a greater position to reclaim some of their $$ invested, which they can turn towards investing in more research for the greater good.
No names here but there are some very well known examples of these speaker circuit dudes & dude-esses.
So in this case, the ethical balance theoretically tilts towards the publisher, as opposed to the non-publisher (which we in the trade refer to as ‘goody-two-shoes’).
July 28th, 2008 at 11:48 am
An alternative: “Dan Kaminsky Disclosure Methodology”
http://seclists.org/fulldisclosure/2008/Jul/0453.html
We could have our own “month of histeria” where each day we announce a new way the Internet “not be as we know it”.
July 28th, 2008 at 4:09 pm
Hmmm http://www.wiretrip.net/rfp/policy.html thoughts on RFP policy v2
and blurb that led to it from RFP
http://blogs.technet.com/bluehat/archive/2007/09/28/the-new-security-disclosure-landscape.aspx
When software is distribued you can play with your point solution without adversely affecting others instances until bugs are disclosed and working exploit code is available. The model somewhat changes with centralised softare, it may be the best thing that ever hits the industry, it may be the straw that breaks the camels back! I hope it’s both. Then the non-zero sum games can commence, IT will be fun again and we can all focus on being creative and not having to worry about this ‘bubble of doom’..
Off to my carpentry class…
July 28th, 2008 at 4:26 pm
@D2, also covered somewhat here:
http://beastorbuddha.com/2007/10/24/bluehat-security-briefing-notes-new-security-disclosure-landscape/
I suppose this debate/discussion will rage for a while.
July 28th, 2008 at 11:41 pm
This is a stupid story. For you and some, there are ethics involved but ethics as you call them are only relevant to the university teaching you and that you have been brought up with.
Ethics in infosec should not be developed by the industry but rather looked at what ‘ethics’ is considered as part of the whole business world!
It should not be different!
July 29th, 2008 at 12:20 am
Business doesn’t have a clue as it is, why in the world would we want to follow their systems on risk? Goldman Sacks anyone? The world economy is collapsing based on the current capitalisitic system. If the infosec industry is to survive it needs it’s own model of Ethics, it’s own industry standards on RD.
Peace,
–Wade
July 29th, 2008 at 3:28 pm
@Wade M
I have to agree that the notion of business’ crying foul on ethics makes me laugh every time. Especially with the software licensing “We are not responsible for anything” debacle.
If they can’t be held accountable for writing crap code, then why should we be held accountable for telling the world about it ??