Federico Biancuzzi surveys statements from some of the world's largest software companies about vulnerability disclosure, interviews two security companies who pay for vulnerabilities, and then talks with three prominent, independent researchers about their thoughts on choosing a responsible disclosure process. In three parts.
Part 1: Vendor statements
SF: What type of disclosure process should independent researchers adopt when they find a vulnerability?
Apple: For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Apple usually distributes information about security issues in its products through this site and the mailing list Security-Announce.
People who find a vulnerability should report it to Apple via email@example.com. It is analyzed and if it's a valid security issue, then a fix is developed and released. People who report issues are asked to keep the information confidential until such time as an update is available to customers. They can request a status update at any time through an email to product-security. People who work with Apple in the responsible disclosure process are credited in advisories for reporting the issue.
Computer Associates (William Taub, Vice President, Enterprise Security): There are several good policies (RFPolicy, OIS Guidelines, NIAC's Vulnerability Disclosure Framework, CERT's Vulnerability Disclosure Policy, etc) available that provide guidelines to help independent researchers disclose a vulnerability. When a responsible researcher discovers a vulnerability, they know it's important to contact the vendor whose product or service has been compromised quickly and professionally. Once a researcher has contacted the vendor - the vendor then needs to work together with the researcher to quickly address his/her findings and then disclose, to customers, the public, and/or any other parties who may have an interest (such as the government), the information and the resolution. Disclosure, when done ethically, shouldn't be about a researcher gaining publicity, nor should it be an attempt to attack or discredit a vendor. Instead, researchers should focus on taking actions that are in the best interest of the product's users and the Internet as a whole. To this end, ethical disclosure means working with vendors whenever possible. The vendors, likewise, need to ensure proper credit for the discovery of the vulnerability and offer a similarly professional and timely response. When a vendor's disclosure gives credit to the independent researcher who helped out, it tells us that this vendor cares about security; they appreciated and collaborated with independent researchers. It also tells us a good deal about the researchers. It shows they are ethical and follow an accepted process that is in the best interest of everyone concerned.
Google (Douglas Merrill, VP of Engineering): We encourage security researchers to follow responsible disclosure practices and notify us of an issue before they tell the rest of the world. This allows us to fix the issue before it is made public and help protect Internet users from security exploits. Security researchers can contact us at anytime at firstname.lastname@example.org.
IBM (Hershel Harris, VP of Development for IBM Tivoli software): The preferred process is that they disclose the potential vulnerability to IBM. We then validate and confirm the exposure and enter it into our security reporting process. This process categorizes the exposure and provides appropriate notification to affected customers, which could include a recommended process change, a configuration adjustment, or delivery of a product fix.
Microsoft: Microsoft continues to encourage responsible disclosure of vulnerabilities to minimize risk to computer users. Microsoft supports the commonly accepted practice of reporting vulnerabilities directly to a vendor, which serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
Novell (Crispin Cowan, Security Architect): While we recognize that independent researchers have a right to disclose in any manner they choose, we encourage and work with researchers who use what has come to be known as responsible disclosure. This is full disclosure, but with advance notice given to the product vendor or open source developer to allow them to prepare a fix before the vulnerability is disclosed.
Oracle: Oracle encourages independent security researchers to follow a 'responsible disclosure' policy. Researchers notify vendors about a vulnerability and do not publicly disclose information regarding the vulnerability until we have released a patch for it.
Red Hat (Mark J Cox, Security Response Team): Issues always take time to analyze, and my experience is that fixes where a vendor has had a few days to investigate tend to turn out better than where a vendor has to react in a crisis to a public issue. Researchers should always contact the vendor privately in advance. Where vulnerabilities are found that affect multiple vendors then an response team organisation like NISCC (www.niscc.gov.uk) can help co-ordinate communication. Advance notification doesn't necessarily make vendors slow to respond; a recent security issue was reported privately to the Apache Software Foundation on a Friday night and details were published with updates for all affected versions by the following Thursday.
SAP (Sachar Paulus, Chief Security Officer): SAP operates a security response service for taking care about discovered vulnerabilities by independent security researchers. They can simply send an e-mail to email@example.com for notifying the issue. The disclosure process will be agreed on jointly with the independent security researcher, our aim is to fix the issue and inform our customers prior to public disclosure.
Sun Microsystems (Bob Brewin, Co-CTO of Software): For issues potentially affecting Sun products (including Java), independent researchers can send reports to Sun at: firstname.lastname@example.org. For more information, please see http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec.
The above address is the one place where researchers can send reports of potential vulnerabilities to Sun. However, researchers may also send reports for potential issues in Java to: email@example.com.
Sun may release security advisories (Sun Alerts) for confirmed vulnerabilities. These advisories are released after fixes for affected supported releases are available and after we provide time for our licensees to address them in their implementations.
Sun coordinates with researchers on the timing of public disclosures so that they can release their advisories shortly after the Sun Alerts are published.
Yahoo! (Arturo Bejar, Head of Information Security): We take security very seriously at Yahoo!, and work to address vulnerabilities in a timely fashion. We encourage security researchers to first notify firstname.lastname@example.org of their findings, so that we can work together in resolving issues before publication.