Vulnerability Disclosures Summarized

Monday, July 19, 2010

Rob Fuller


I have an admittedly limited view of the exploit dev world. However, from what I've seen devs have very few options (Please correct me if I'm wrong):

Responsible Disclosure

- Direct Contact => depending on the size of the vendor and their view on security, this could result in anything from a simple thanks, a reward, to a court hearing.

- Exploit Broker => possibly sell, possibly not, depends on the broker. The vuln could die on the table or stolen due to too much information being given during negotiations. This route has the same financial risk as direct contact, but a lot less risk of getting sued.

- ZDI (or other vuln clearing house) => "instant" cash, but admittedly less than an Exploit Broker could possible get based on the financial risk to ZDI. Close to zero risk of court time (they may come after you for selling the exploit). And a lot less financial risk since (IIRC) they pay up front. But then the vulns go to also undisclosed parties, potentially the highest bidder which is probably not the vendor.

- "other" secretive groups who share vulns for different reasons...

- Just to friends => No cash, no judicial risk, but you do risk them stealing/selling your exploit.

Full Disclosure

- Posting it to the web for all to see/user => Possible court time, but the definite upside is the vendor is forced to react. A very quick way to make enemies.

- Releasing at a conference => Probable court time.

No Disclosure

- Keeping it to yourself => Working under the assumption that your the only one that has found that same bug is still semi relevant due to the incredibly small size of the exploit dev community. However, as Dave said, they'll be toasting to their sleeping dead 0days some day.

No More Free Bugs

- My stance on this is split, while I think people should get paid for their work, I relate this movement to mowing someone's lawn and then ringing their doorbell and asking for money. However I'm sure Robert Graham's punch in the face metaphor also works.


Like I have stated above, I am far and away a newbie to the vuln disclosure world and this debate has been going on since before I owned my own computer, but with the brilliant minds working at it, why doesn't anyone offer up a solid solution to it?

My solution? Create a standard, something that we all abide by. I know as hackers we rebel against such things but in the interest of getting better security out there (yes, that's what we are here for right?.... right?) we should should really work together on this. What sounds right?

I mean, what is the right way to approach someone who's lawn you've mowed for the work you have done? Maybe free for open source projects, and a price based on exploitability and market share of the affected product?

For reference:

Vuln Trading Markets and You by Michal Zalewski (lcamtuf):

Vuln Disclosure is Rude by Robert Graham:

No More Free Bugs movement by Charlie Miller, Alex Sotirov and Dino Dai Zovi:

Dailydave Post by Dave Aitel:

Cross-posted from Room362

Possibly Related Articles:
Hacking Web Application Security
Post Rating I Like this!
Rod MacPherson I think that the standard should be somewhere in the "Responsible Disclosure" spectrum, and perhpas having an intermediary like ZDI or a broker is a necessary part of that.

Most of us whould never attempt a realestate purchase without agents and lawyers involved (in most places you can't without at least the lawyers) So perhaps there is a need to keep these middle men involved in such Itellectual Property transfers.

I personally am not at a point yet where I've needed to think about such things for personal use. But, as an interested InfoSec practitioner, I anticipate one day needing to perform some kind of disclosure, and I'd like to have the process run smoothly.

Good luck to those blazing this trail. I hope to see results that we can all live with in the coming years.
Brian Bartlett This is a fairly common problem in economics and game theory. In economics it is "The Tragedy of the Commons" and in game theory "The Prisoner's Dilemma." If you hang out in both fields, as I do, they you being to see it pretty much everywhere especially in the social sciences. What we have here is a common resource, system security, and the two actors do not see their way clear to acting in cooperation with one another to properly conserve/secure that resource. what's in it for me, basically. However, if you game the alternatives you find that not having to actors cooperate with one another definitely, not probably, results in damage to both the actors. Cooperation in this example being that the development house at least funds the researchers at some reasonable, in the eyes of the researcher, level.

When the two actors can't agree, game theory provides an answer to that as well. The researcher engages in a tit-for-tat response for each bad act on the part of the development house, which we call Full Disclosure. Smacking the other actor up-side-the-head if you will, until the development house begins to cooperate.

Is there a certain level of extortion involved here? Yes. However it should be pointed out that development houses frequently engage beta-testers, usually with an enticement of some sort, to find bugs in their software. Why does it have to stop on release?

That's my understading of the "game" here.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked