HackDig : Dig high-quality web security articles

Vulnerability disclosure the good and the ugly

2015-06-09 10:35

By Cesar Cerrudo @cesarcer


I can't believe I continue to write about disclosure problems. Morethan a decade ago, I started disclosing vulnerabilities to vendors and working withthem to develop fixes. Since then, I have reported hundreds of vulnerabilities.I often think I have seen everything, and yet, I continue to be surprised overand over again. I wrote a related blog post a year and a half ago (Vulnerabilitybureaucracy: Unchanged after 12 years), and I will continue towrite about disclosure problems until it's no longer needed.

Everything is becoming digital. Vendors are producing software forthe first time or with very little experience, and many have no securityknowledge. As a result, insecure software is being deployed worldwide. The Internetof Things (IoT), industrial devices and industrial systems (SCADA/ICS), SmartCity technology, automobile systems, and so on are insecure and getting worse insteadof better.

Besides lacking of security knowledge, many vendors do not knowhow to deal with vulnerability reports. They don't know what to do when anindividual researcher or company privately discloses a vulnerability to them,how to properly communicate the problem, or how to fix it. Many vendors haven'tplanned for security patches. Basically, they never considered the possibilityof a latent security flaw. This creates many of the problems the researchcommunity commonly faces.

When IOActive recently disclosed vulnerabilities in CyberLock products,we faced problems, including threats from CyberLock’s lawyers related to theDigital Millennium Copyright Act (DMCA). CyberLock’s response is a very goodexample of a vendor that does not know how to properly deal with vulnerabilityreports.

On the other hand, we had a completely different experience whenwe recentlyreported vulnerabilities to Lenovo. Lenovo’s response was veryprofessional and collaborative. They even publicly acknowledged ourcollaboration:

"Lenovo’s developmentand security teams worked directly with IOActive regarding their System Updatevulnerability findings, and we value their expertise in identifying andresponsibly reporting them."

IOActive approached both cases in the same way, but with twocompletely different reactions and results.

We always try to contact the affected vendor through a varietyof channels and offer our collaboration to ensure a fix is in place before wedisclose our research to the public. We invest a lot of time and resources to helpingvendors understand the vulnerabilities we find. We have calls with developersand managers, test their fixes, and so on, all for free without expectinganything in return. We do not propose nor discuss business opportunities; ouronly motive is to see that the vulnerabilities get fixed. We have a great trackrecord; we’ve reported dozens of vulnerabilities and collaborated with many vendorsand CERTs too.

When a vendor is nonresponsive, we feel that the best solutionis usually to disclose the vulnerability to the public. We do this as a lastresort, as no vendor patch or solution will be available in such a case. We do notwant to be complicit in hiding a flaw. Letting people know can force the vendorto address the vulnerability.

Dealing with vulnerability reports shouldn't be this difficult.I'm going to give some advice, based on my experience, to help companies avoidvulnerability disclosure problems and improve the security of their products:
  • Clearly display a contact email forvulnerability reports on the company/product website
  • Continuously monitor that email address andinstantly acknowledge when you get a vulnerability report
  • Agree on response procedures including regulartimeframes for updating status information after receiving the report
  • Always be collaborative with theresearcher/company, even if you don't like the reporter
  • Always thank the researcher/company forthe report, even if you don't like the reporter
  • Ask the reporter for help if needed, and worktogether with the reporter to find better solutions
  • Agree on a time for releasing a fix
  • Agree on a time for publicly disclosingthe vulnerability
  • Release the fix on time and alertcustomers
That's it! Not so difficult. Any company that produces softwareshould follow these simple guidelines at a minimum.


It comes down to this: If you produce software, consider thepossibility that your product will have security vulnerabilities and plan accordingly.You will do yourself a big favor, save money, and possibly save your company’s reputationtoo.


Source: lmth.ylgu-dna-doog-erusolcsid-ytilibarenluv/50/5102/moc.evitcaoi.golb

Read:4110 | Comments:0 | Tags:cesar cerrudo disclosure hacking security fixes software vul

“Vulnerability disclosure the good and the ugly”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code: