Full vs. Responsible Disclosure of Vulnerabilities

From CyberSecurity
Jump to: navigation, search

The assignment calls for us to write a white paper:

"describing a particular threat, assessing possible losses in the event of an attack, assessing current vulnerabilities, presenting possible responses, and evaluating the cost-effectiveness of each."

  • Abstract


  • Introduction
    • Terminlogy: product, flaw, vulnerability, exploit, exploitation, discoverer, originator, coorinator, vendor, customer Vulnerability Disclosure
    • What are software/hardware vulnerabilities?
    • Definition of full disclosure and responsible disclosure
    • Purpose of disclosure
      • Publicity: Bug hunters want to be the first people to get credit for discovering new vulnerabilities. They like to show their talents and promote themselves. People like publicity and see their name in newspapers. [1] The media coverage a security company receives can mean substantial revenue in the form of new or larger customer contracts. [2]
    • What kinds of peoples would discover the vulnerabilities? hobbyist hacker, expert, specialist
    • What kinds of peoples would take the advantage of vulnerabilities? vandal/script-kiddy, thief, spy
    • Window of exposure / vulnerability TimelineWindows of Vulnerability
      • undiscovered, experimentation/investigation, correction, packaging, deployment


  • Actual/Possible Losses in the Event of Attacks
    • incident in 2000, public criticism of Internet Security System (ISS)
    • Responsible/limited disclosure can only delay the vulnerabilities since hackers can apply reverse-engineering to patches in order to understand the details.
    • Blaster worm, release patch on 7/16; exploit code available on 7/25; worm discovered on 8/11
    • Slammer worm - litchfield discovery ; patch availability ; worm proliferation
    • Microsoft "Information Anarchy"
    • What could have happened with:
      • Slammer
      • Blaster
      • Code Red
    • Theoretical Attacks
      • Against operating system
      • Against server software
      • Against custom application (e.g. industry-specific application like stock trading software, etc.)
  • Overview of Types of Disclosure
    • Non Disclosure
      • define
    • Full Disclosure
      • define
    • Responsible Disclosure
      • define
  • Cost-Effectiveness of Disclosure Types
    • Non Disclosure
      • For
      • Against
    • Full Disclosure
      • For
        • Vendoris motivated to provide a timely patch or workaround to a new vulnerability.
        • Administrator might make use of exploit code to test for the existence of vulnerable systems. Exploit code may also be used to test the integrity of a patch that has been distributed to correct a vulnerability. Vulnerability Disclosure
        • Administrators can disable or monitor the piece of software immediately without being 'blindly vulnerable' waiting for vendor to patch software in secret (if at all)
        • Teaching the general public the techniques and tools the underground uses is important
        • Providing exposure and recognition to security experts who find software flaws
      • Against
        • Releasing a vulnerability without giving vendor an opportunity to fix the problem puts users at risk since not all flaws have a quick and easy fix (for example, in some cases, an entire component or piece of software may need to be re-architected) - what is the end benefit here?
        • Developing a patch requires time to investigate, debug, and test. Not ony it requires time for the vendor, it also requires time for IT to test the patches before deployment. (ABC: may want to rework this point some)
        • As mentioned by one of the speakers on 11/9, hackers usually won’t go for discovering new vulnerabilities.
        • Not all administrators are knowledgeable to work with firewall and intrusion detection system (IDS) to build a temporary workaround to stop vulnerability.
        • releasing exploit code as a part of full disclosure only makes it easier for an attack to be launched
    • Responsible Disclosure
      • For
        • keeps information about vulnerability on a 'need to know' basis until a patch is developed
        • in open source software, a patch or fix should be devised as part of / before a vulnerability report to the general public - if you can find a problem in open source, shouldn't you also be able to propose a solution to the open source community?
        • there seem to be fewer cases of widespread exploits in situations where responsible disclosure has taken place (is this quantifiable?)
        • ethically, seems like the right thing to do: would you feel it to be more right to post a sign on someone's door saying the lock is broken, or would it seem more right to tell the person who owns the door to fix the lock?
        • risk reward tradeoff: probability of a vulnerability being found by black hats vs how long it takes to fix the flaw, and how likely the flaw is to be fixed; also, how likely the flaw is to be exploited and how many systems are at risk - all relative to other flaws in the same software
      • Against
        • There is no way to assure that the black hat community does not already posses the vulnerability info or that they will not discover it on their own before a public disclosure is made.
        • Vendors are not motivated to repair the flaw in a timely manner'
        • Security researchers are liable for the information they release because when it is used to harm others it can have deleterious effects. According to this logic, the Ginsu steak knife company would be liable for any and all misuses of their technology as well. This is beyond absurd. [3]
    • Conclusions (what we find to be most sensible here)
  • Government's role? Use of Law?
    • Should the government be acted as the coordinator? build the communication channel between vendors and originator.
    • Maybe it is no good since the law can only apply to United State. Linux Update withholds security details
    • **** The only rational solution is to make the script kiddies responsible for their actions, as we do with all criminals. [4]
  • Other Responses:
    • Incentives from software vendors to researchers to follow responsible disclosure policies
    • NGO-like entity that monitors and rates software company security response
    • Vendor infiltration of hacker channels to learn about vulnerabilities being pursued
  • Conclusion
    • Related topic: patch delivery and deployment - how constant patches that are not easy / disruptive to deploy can often go ignored for too long - segue's into disclosure types (even the most responsible disclosure can still put people at risk if systems go unpatched)
  • Once people discover vulnerabilities, how much should they disclose (full/partial)? Who should they disclose to (public/government/academic-research/manufacturer-only)? When should they disclose?
  • What constitute a responsible disclosure?
  • What is bad about full disclosure of vulnerabilities?
  • Does it mean safe if people responsibly disclose the vulnerabilities?
  • If the software/hardware manufacturer cannot fix the vulnerabilities in reasonable time, should the academic/research communities step in and help?
  • Does “Open Source” necessarily mean full disclosure? Hmmm... Not necessary. If you don't tell people about the vulnerabilities, most people won't know it unless they dig into the code. We are talking about disclosure of vulnerabilities, not disclosure of entire source code.
  • Comparing the disclosure of vulnerabilities to other non-cyber industries, i.e. health, environment, food...
  • Discuss some examples/incidents of non-responsible disclosure and their result/affect.
  • Should we have a public committee to manage/control the info flow of vulnerabilities?
  • Should we do a better job on notifying/educating the public/consumers about vulnerabilities? Why people should care? What they should do?
Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Full_vs._Responsible_Disclosure_of_Vulnerabilities&oldid=3018"