Allman on Coordinating Vulnerability Disclosure
Dave G. | February 26th, 2007 | Filed Under: Slashdot Rounddown
Eric Allman wrote an article for the ACM Queue. For those of you that don’t know who Eric is, he is primary author of sendmail, so this is a topic he is well-versed in. He talks about the different approaches, which is pretty complete (from not fixing to announcing without patch), although he doesn’t give very good guidance about which ones to use.
The strongest criticism I have is in the timing section of the article. A choice quote on severity is:
A bug that gives an external user full control of a machine is more critical than one that allows the external user to break into the account of another user who opened an attachment (which that user shouldn’t have opened in the first place).
Another question that he brings up that affects how quickly someone should release a patch for is whether it was found internally or externally. Most (if not all) vendors will use this as the primary factor on whether or not to patch immediately or wait till the next release. It’s a simple gamble. It costs money to patch out of cycle, and most vendors are willing to bet their customer’s security that no one else will find the bug. Every major vendor is constantly rolling the dice on this. I would love to find statistics on patch times for internally discovered security issues (I assure you, you would be horrified).
One part of the article that I was a little surprised about was that he was pretty reasonable on how to work with security researchers. I certainly didn’t hear him call them vulnerability pimps or buckets of warm spit. In fact:
If the group is legitimate (i.e., one that isn’t trying to blackmail you), then you can usually negotiate, but only up to a point. Remember, even if you disagree with them, most of those groups are on the right side. Treat them with respect.
Dan Ingevaldson
February 26th, 2007 2:58 pmOn your last point, I can vouch for Eric. X-Force has found two remote root bugs and we worked them both with sendmail according to our version of “responsible disclosure”.
Having worked disclosure issues with pretty much all the major vendors, sendmail is among the best to work with. They respect bug finders, they don’t argue about severity and they take things seriously.
That being said, there is a burden that bug finders have to meet if they want to be respected by vendors. The vulnerability pimping debate only surfaced as a result of high profile in-your-face vulnerability publications and the the trend towards commercialization of vulnerability disclosure.
Working for a software vendor who reports vulnerabilities and has vulnerabilities reported in our own products provides a unique perspective. The golden rule applies here just like it does everywhere else.
Chris_B
February 26th, 2007 8:06 pmThe gentlemen from IBM above summed it up nicely. Dave, do I read you wrong or are you coming to the defense of those who have been accused of pimping?
Dave G.
February 27th, 2007 1:44 pmChris:
Let me clarify. Both “vulnerability pimps” and “bucket of warm spit” commments are terms mjr uses to describe anyone that performs vulnerability research and publishes the results. In other words, people like us. And yes, I am coming to my own defense on this one
Chris_B
February 28th, 2007 8:31 pmUm.. Dave, I read the same article come to think of it and I think you are being a bit thin skinned. If MJR classed you guys with the Purple Hats, I kinda missed it completely. Man up a bit.
Leave a reply