Story continued from Page 1
Part 2: the disclosure process
SF: What type of disclosure process should independent researchers adopt when they find a vulnerability?
iDEFENSE (Rick Howard, Director of Intelligence): Before I answer the question specifically, let me run down the iDefense Vulnerability Contributor Program (VCP)for you:
- Either iDefense Reverse Engineers or outside contributors discover a zero-day exploit and submit it to the iDefense Labs for review.
- Once vetted within the lab, iDefense simultaneously informs the vendor responsible for the vulnerability and the iDefense customer base. iDefense does not go public with the information and neither do any of the customers. It is in their contract. If they did, we would know.
- The responsible vendor takes time to vet the problem within their own lab. They have to develop a patch, [they] Quality Control it and then publish the patch. Microsoft and Oracle average about 120 days to do this. In the meantime, iDefense customers get 120 days of early warning because nobody else in the world knows about it. iDefense helps customers determine mitigation strategies for their enterprise until the patch comes out.
- Once the vendor publishes the patch, iDefense pays the contributor.
- iDefense also hosts quarterly challenges. We pick a topic with some very specific parameters. For every exploit we get during that quarterly challenge, we pay $10,000. The first quarter of 2006, the challenge concerned anything to do with Microsoft. The second quarter, the challenge concerned databases. This third quarter, we are doing browsers. Last month's Microsoft Black Tuesday list contained four exploits that we discovered during the first quarter challenge.
Some vendors would prefer that these exploit contributors stop doing what they do or, at a minimum, just hand over their research because they are good guys. Some vendors are willing to pay for exploits too. Many don't publicize the fact.
To be fair, some researchers do hand over their finds to the vendor at no cost. David Litchfield is a famous example. As you know, he supplies Oracle with all of the exploits he discovers. Last year at Black Hat he rather publicly demonstrated an exploit to the audience because he didn't think Oracle was moving fast enough to patch it. But he does not get compensated for his efforts.
Having said all of that, the iDefense VCP provides five main benefits that I can see:
- The program finds zero day exploits that nobody would know about otherwise.
- The program provides an outlet for those individuals, who are not necessarily bent on breaking the law, to get legally paid for their services. Without programs like this, these guys would have to turn to the dark side to get compensated (or work for some government agency).
- Vendors get the research for free. iDefense does not charge them for it.
- iDefense customers get early warning for zero day exploits.
- iDefense acts as an independent, non-partial middleman for these independent researchers who desire to get compensated for their efforts. Without iDefense, independent researchers would have to negotiate individual contracts with each vendor; some of whom are not keen on paying for the research in the first place or sell the research on the black market.
There are benefits to reporting to the vendor first. Just like when reporting the vulnerability to iDefense, the vendor has a chance to create a patch before the world knows about it. Thus, the exploit would not impact the Internet at large because the vendor will not announce it until it is patched. For some researchers and security experts though, this is less than satisfying. This path may never cause the vendor to fix the problem. Indeed, there exists no impetus for the vendor to do so. The vendor owns the code and nobody else does. Nobody will pressure the vendor to make something happen; unless you are Dave Litchfield and change your mind at Blackhat that is.
Exposure on a public list without any warning will certainly cause the vendor to jump through hoops in an effort fix the problem. But that leaves a gap between the time when the exploit is announced and when the vendor can push out a fix that leaves the Internet vulnerable. The hacker gets his issue addressed but causes more risk in the process.
One avenue is that these altruistic researchers could hand the exploit over to iDefense or others like us and not take any compensation. The researcher feels good that his issue will be taken care of, the vendors get notified of a new security hole at no charge to them and the iDefense customers will start silently asking the vendor to fix the problem.
ZeroDayInitiative/3com (Terri Forslof, Manager of Security Response): The art of Full Disclosure helps some, but not all. Because the general population does not follow public security lists such as BugTraq and Full Disclosure, I strongly encourage all independent researchers (and those belonging to organizations as well!) to follow a practice of responsible disclosure. In the old days, that used to imply that the researcher should make every attempt to contact the vendor directly and keep the information confidential until the vendor could issue an update to protect their customers. While that model still works, and is still a great altruistic idea, some researchers seem to have grown tired over the years of the often long battle to get vendors to take them seriously, and fix the vulnerability.
Finding vulnerabilities takes a special skill set, and time. In the modern age, this translates into a marketable talent. I encourage researchers who don't want to deal with the hassle of working with the vendor to utilize the Zero Day Initiative program - which offers them fair compensation for their work, while still providing a vendor the advantage of time to develop a solution to the problem and ship an update to their customers. Because we handle the communications with the vendor, and work with them to address the problem, the researcher can then move onto working on their next project. In the meantime, we are able to deliver protection to our customer's against that vulnerability via our TippingPoint IPS device. We always assume that if one person has discovered a vulnerability, then it's likely that another out there somewhere has discovered it as well. Our customers enjoy the peace of mind in knowing that they are protected during that time when the vendor is working to deliver the update.
Of course, once the problem has been addressed, I'm an advocate of making as much noise as possible that there was a problem, and that there is a solution. If you don't spread the word, then the general population won't hear about the issue. It's not a perfect solution - nothing is. All vulnerabilities are not created equal, and not all products have the same impact on society - but as the world of security research evolves, I think that we as security vendors need to evolve right along with it, and continue to look for innovative ways to get vulnerabilities out of the wild, and into the hands of the vendors who can fix them.