Friday, July 17, 2009

Full Disclosure and Publicity

The merits of responsible and full disclosure have long been debated among InfoSec luminaries. The problem with announcing vulnerabilities out into the open is that often it can cause more harm than good if done irresponsibly. It's important to understand the whole debate so I'm going to sum things up, my thoughts, in a concise and simple post here.

The Dangers
First, let's talk about why full disclosure can be dangerous. Disclosing vulnerabilities, like the recent ATM [Automated Teller Machine] vulnerability which was going to be discussed at this year's Black Hat conference, can cause undo risk. When a researcher finds a bug, and the problem hits the public wire right away there is an urgency of risk that is generated around the issue. Often times it's becomes a race between the vendor and the black-hat community to see whether the issue will be patched before a mass exploit is written. The dangers of full (and irresponsible) disclosure is that of exposing an exploitable risk to everyone else and thus increasing the risk of mass exploit or loss

The Good
With the yin, there is the yang. As you can see in the screen shot - American Airlines simply can't filter an ancient file include (../../ was cool in, what, 1999?) vulnerability. The person who posted this to the Full Disclosure mailing list (claims to have) contacted American Airlines repeatedly without results - so the vulnerability goes public in the hopes of getting the vendor to fix their issue.
While I don't agree with this excessive risk, and the public shaming sometimes it's required to get the job done. After all, the whole point of researching, cooperatively disclosing, and remediating vulnerabilities is for the greater good... right?

The Rest...
There are subtle issues here that go beyond whether to disclose publicly or not... and those are hotly debated still to this day.
  1. How long should a vendor be given to respond before a discovered vulnerability goes public?
  2. What is the proper format and forum for disclosing vulnerabilities to the vendor?
  3. How much time should the vendor be given to provide a public announcement and fix before the vulnerability hits the mailing lists and public?
  4. What about the legal liabilities of reporting security research and vulnerabilities?
These and other questions must be answered... and I feel that it may be done in some not-too-distant future by a legal precedent or a regulatory ruling. Of course, I have no misgivings about researchers following mandated regulations... but still...

No comments: