StillSecure, After All These Years

Yesterday's XSS-eEye articles got me to thinking more about responsible disclosure last night.  I think to most of us, responsible disclosure means that someone finding a vulnerability before making their findings public, would contact the vendor of the vulnerable product and give them a reasonable time to correct and fix the problem.  OK, I don't think anyone would argue with that.  The developer gets a chance to fix the problem before everyone knows about it, the public using the product gets a patch or fix before the bad guys supposedly find out about the hole.  Sounds easy and good.  But then other issues pop up.  Among them are:

• What do you do if the vendor does not fix the problem? Easy you announce the vulnerability and make your findings public.  This raises yet other questions.

• How long do you give the vendor to fix the problem?  What is a reasonable time?  Is it measured in weeks, days or months?  I have never seen a good answer to this one.  In my mind it is a two step process.  First I think the vendor has to acknowledge the vulnerability fairly quickly (within 10 days).  Once acknowledged, I think a fix should be done within 45 days (this way they can fit it into a monthly patch cycle like Microsoft).  Of course the downside of this, is the bad guys could find the hole in this time and exploit it.

• What if the vendor does not acknowledge or fix? Some people will tell you that does not happen anymore. In this new age of vulnerability cumbaya (a Rothman word) vendors are only too happy to find out about holes in the product and are grateful for the researchers finding them (NOT).  Others say with companies like Tipping Point and others ready to "buy" these vulnerabilities and the resources to publicize them, vendors have a gun to their head and have no choice but to acknowledge and fix them. Still others (like Martin McKeay) think there are researchers finding bugs every day who cannot get the time of day from the vendors.  I think that this is out of date material frankly, but if you can show me real world examples of recent experience like this, I would change my view perhaps.


• The next thing is, if the vendor fixes the hole and announces it. What is the motive of the person or company that found the hole announcing they were the ones who found it.  Do they want a medal or a chest to pin it on?  It just seems like that is all about the personal glory.  Sure you can make your product better by protecting your customers with this information and you should.  But announcing to the world that you found it and therefore somehow that makes you a macho security company?  Just a little too much for me. I have to question this type of behavior and think it then makes you a target.

As you can see responsible disclosure is easy to say and sounds good.  However, in practice it is not always that easy.  There is a lot of confusion over what responsible is, over how vendors respond and what a person who finds a vulnerability should do.  I for one would like to see a well accepted guideline by a group like SANS or someone to help guide people on this.