Difference between revisions of "Full vs. Responsible Disclosure of Vulnerabilities"

From CyberSecurity
Jump to: navigation, search
m
m
Line 20: Line 20:
 
** Purpose of disclosure
 
** Purpose of disclosure
 
*** Publicity: ''Bug hunters want to be the first people to get credit for discovering new vulnerabilities.  They like to show their talents and promote themselves.  People like publicity and see their name in newspapers. [http://ews.cnet.com/news/0-1005-200-2634067.html]  The media coverage a security company receives can mean substantial revenue in the form of new or larger customer contracts. [http://www.giac.org/practical/GSEC/Stephen_Shepherd_GSEC.]''  
 
*** Publicity: ''Bug hunters want to be the first people to get credit for discovering new vulnerabilities.  They like to show their talents and promote themselves.  People like publicity and see their name in newspapers. [http://ews.cnet.com/news/0-1005-200-2634067.html]  The media coverage a security company receives can mean substantial revenue in the form of new or larger customer contracts. [http://www.giac.org/practical/GSEC/Stephen_Shepherd_GSEC.]''  
** Window of exposure / vulnerability life cycle [http://www.cs.umd.edu/~waa/pubs/Windows_of_Vulnerability.pdf Windows of Vulnerability]
+
** What kinds of peoples would discover the vulnerabilities? ''hobbyist hacker, expert, specialist''
 
+
** What kinds of peoples would take the advantage of vulnerabilities? ''vandal/script-kiddy, thief, spy''
 +
** Window of exposure / vulnerability Timeline[http://www.cs.umd.edu/~waa/pubs/Windows_of_Vulnerability.pdf Windows of Vulnerability]
 +
*** undiscovered, experimentation/investigation, correction, packaging, deployment
  
 
* Type of Disclosure
 
* Type of Disclosure
 
** Non Disclosure
 
** Non Disclosure
 
 
** Full Disclosure
 
** Full Disclosure
 
*** For
 
*** For
 +
**** ''Vendoris motivated to provide a timely patch or workaround to a new vulnerability.''
 
**** ''Administrator might make use of exploit code to test for the existence of vulnerable systems. Exploit code may also be used to test the integrity of a patch that has been distributed to correct a vulnerability. [http://www.giac.org/practical/GSEC/Stephen_Shepherd_GSEC.pdf Vulnerability Disclosure]''
 
**** ''Administrator might make use of exploit code to test for the existence of vulnerable systems. Exploit code may also be used to test the integrity of a patch that has been distributed to correct a vulnerability. [http://www.giac.org/practical/GSEC/Stephen_Shepherd_GSEC.pdf Vulnerability Disclosure]''
 
*** Against
 
*** Against
**** Developing a patch requires time to investigate, debug, and test.  Not ony it requires time for the vendor, it also requires time for IT to test the patches before deployment.
+
**** ''Developing a patch requires time to investigate, debug, and test.  Not ony it requires time for the vendor, it also requires time for IT to test the patches before deployment.''
 
+
**** ''As mentioned by one of the speakers on 11/9, hackers usually won’t go for discovering new vulnerabilities.''
 +
**** ''Not all administrators are knowledgeable to work with firewall and intrusion detection system (IDS) to build a temporary workaround to stop vulnerability.''
 
** Responsible Disclosure
 
** Responsible Disclosure
 
*** For
 
*** For
 
*** Against
 
*** Against
 
  
 
* Controversy (by discussing read world exmaples)
 
* Controversy (by discussing read world exmaples)
 
** incident in 2000, public criticism of Internet Security System (ISS)
 
** incident in 2000, public criticism of Internet Security System (ISS)
 
** Responsible/limited disclosure can only delay the vulnerabilities since hackers can apply reverse-engineering to patches in order to understand the details.
 
** Responsible/limited disclosure can only delay the vulnerabilities since hackers can apply reverse-engineering to patches in order to understand the details.
 
+
** Blaster worm, release patch on 7/16; exploit code available on 7/25; worm discovered on 8/11
  
 
* Existing Practice, Policies and Proposals
 
* Existing Practice, Policies and Proposals
Line 55: Line 57:
  
 
----
 
----
* What kinds of peoples would discover the vulnerabilities?
 
* What kinds of peoples would take the advantage of vulnerabilities?
 
 
* Once people discover vulnerabilities, how much should they disclose (full/partial)?  Who should they disclose to (public/government/academic-research/manufacturer-only)? When should they disclose?
 
* Once people discover vulnerabilities, how much should they disclose (full/partial)?  Who should they disclose to (public/government/academic-research/manufacturer-only)? When should they disclose?
 
* What constitute a responsible disclosure?
 
* What constitute a responsible disclosure?
Line 66: Line 66:
 
* Discuss some examples/incidents of non-responsible disclosure and their result/affect.
 
* Discuss some examples/incidents of non-responsible disclosure and their result/affect.
 
* Should we have a public committee to manage/control the info flow of vulnerabilities?
 
* Should we have a public committee to manage/control the info flow of vulnerabilities?
* As mentioned by one of the speakers on 11/9, hackers usually won’t go for discovering new vulnerabilities.  After a patch is released by manufacturer, hackers can apply reverse-engineering to understand the vulnerabilities. Would a limited disclosure work? 
 
 
* Should we do a better job on notifying/educating the public/consumers about vulnerabilities?  Why people should care?  What they should do?
 
* Should we do a better job on notifying/educating the public/consumers about vulnerabilities?  Why people should care?  What they should do?

Revision as of 22:29, 12 November 2005


  • Abstract
  • Introduction
    • Terminlogy: product, flaw, vulnerability, exploit, exploitation, discoverer, originator, coorinator, vendor, customer Vulnerability Disclosure
    • What are software/hardware vulnerabilities?
    • Definition of full disclosure and responsible disclosure
    • Purpose of disclosure
      • Publicity: Bug hunters want to be the first people to get credit for discovering new vulnerabilities. They like to show their talents and promote themselves. People like publicity and see their name in newspapers. [1] The media coverage a security company receives can mean substantial revenue in the form of new or larger customer contracts. [2]
    • What kinds of peoples would discover the vulnerabilities? hobbyist hacker, expert, specialist
    • What kinds of peoples would take the advantage of vulnerabilities? vandal/script-kiddy, thief, spy
    • Window of exposure / vulnerability TimelineWindows of Vulnerability
      • undiscovered, experimentation/investigation, correction, packaging, deployment
  • Type of Disclosure
    • Non Disclosure
    • Full Disclosure
      • For
        • Vendoris motivated to provide a timely patch or workaround to a new vulnerability.
        • Administrator might make use of exploit code to test for the existence of vulnerable systems. Exploit code may also be used to test the integrity of a patch that has been distributed to correct a vulnerability. Vulnerability Disclosure
      • Against
        • Developing a patch requires time to investigate, debug, and test. Not ony it requires time for the vendor, it also requires time for IT to test the patches before deployment.
        • As mentioned by one of the speakers on 11/9, hackers usually won’t go for discovering new vulnerabilities.
        • Not all administrators are knowledgeable to work with firewall and intrusion detection system (IDS) to build a temporary workaround to stop vulnerability.
    • Responsible Disclosure
      • For
      • Against
  • Controversy (by discussing read world exmaples)
    • incident in 2000, public criticism of Internet Security System (ISS)
    • Responsible/limited disclosure can only delay the vulnerabilities since hackers can apply reverse-engineering to patches in order to understand the details.
    • Blaster worm, release patch on 7/16; exploit code available on 7/25; worm discovered on 8/11
  • Existing Practice, Policies and Proposals
    • BugTraq
    • RFPolicy



  • Conclusion


  • Once people discover vulnerabilities, how much should they disclose (full/partial)? Who should they disclose to (public/government/academic-research/manufacturer-only)? When should they disclose?
  • What constitute a responsible disclosure?
  • What is bad about full disclosure of vulnerabilities?
  • Does it mean safe if people responsibly disclose the vulnerabilities?
  • If the software/hardware manufacturer cannot fix the vulnerabilities in reasonable time, should the academic/research communities step in and help?
  • Does “Open Source” necessarily mean full disclosure? Hmmm... Not necessary. If you don't tell people about the vulnerabilities, most people won't know it unless they dig into the code. We are talking about disclosure of vulnerabilities, not disclosure of entire source code.
  • Comparing the disclosure of vulnerabilities to other non-cyber industries, i.e. health, environment, food...
  • Discuss some examples/incidents of non-responsible disclosure and their result/affect.
  • Should we have a public committee to manage/control the info flow of vulnerabilities?
  • Should we do a better job on notifying/educating the public/consumers about vulnerabilities? Why people should care? What they should do?
Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Full_vs._Responsible_Disclosure_of_Vulnerabilities&oldid=2738"