The disclosure of vulnerabilities can be a contentious subject. Regardless of where you fall out on the issue, the one thing everyone can agree on is that we’re trying to improve security, even if we’re on slightly different tacks. One thing that doesn’t help improve security: Fear, Uncertainty, and Doubt.
I work for a company that does a lot of security research on IoT devices. We find vulnerabilities. A lot of them. Some are exploitable. When we come across a significant exploitable vulnerability we adhere to a policy of responsible disclosure.
In a nutshell, responsible disclosure means we reach out to the company that makes the things we found a vulnerability in, and share our findings with them. We try to come to a mutual agreement as to when we will publish our findings, ideally as soon as possible, and after the manufacturer has built, tested, and released a patch.
Not everyone who looks for bugs follows the responsible disclosure model, but we think it is the best policy because it recognizes some very real issues that tend to be ignored or discounted:
- The bugs we’re talking about are of a critical nature. That is, if exploited, they could cause denial of services, disruption of service or functions, and/or destruction. These are not trivial issues, particularly when you deal with IoT devices.
- Finding bugs and fixing them are two different things (especially in IoT). Few of us know what it’s like to have to maintain, much less secure countless lines of code that may be associated with a device or application. Fixing one thing could break other things, and nobody wants that.
For these reasons – and because hackers tend to work faster that corporate development teams – we prefer responsible disclosure vs full disclosure.
The DOD has a responsible disclosure policy, and the DOJ recently released a framework organizations can use to develop a disclosure program. Bug bounty programs (basically private disclosure) are increasing in popularity. These are not new concepts or issues that anyone with any length of time in the industry can claim ignorance. So when you see actions by seasoned professionals that are counter to standard practice, it calls into question what their real motivations are.
Making public relations hay out of a computer security discovery is par for the course. We all do it. Generally speaking however, it helps when you know what you’re talking about. When the work is exhaustive, not cursory. And when you give everyone involved an opportunity to, if not participate, at least weigh in. It’s also helpful if the announcement is timely.
Oh, and that there be an actual problem.
There is full disclosure, there is responsible disclosure, and there is irresponsible, odious, and arguably libelous behavior. One of these things does nothing to reduce FUD and advance the cause of computer security.
/* In the interest of full disclosure, I was a co-founder of Carbon Black. I have not worked there in years. I wrote this of my own accord, not at anyone’s request. I would do the same thing for any firm that was treated in a similar manner. */