[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVEPRI] Proposal: An open letter on responsible disclosure



All,

Some of the disagreements on this list are starting to escalate into
personal unpleasantness.  Please remember that this list is public,
and while there are good points on all sides, we should try to be
respectful.  Some Board members are starting to express their
displeasure with the tone of some emails.  It would be damaging to the
Board as a whole if I were forced to strictly moderate posts to this
list.  On the other hand, this is an important debate that the public
should be able to view.

Here's a concrete proposal for all members of the Board to consider.
Let's see if we can work together on things that we all agree about.
(I haven't heard any complaints about pursuing this "off-topic"
subject, so I assume Board members are OK with continuing to pursue
the matter on this list.  I do believe that it helps CVE in the long
term.)

There appears to be agreement with respect to certain aspects of the
vulnerability disclosure problem.  In a later email, I will take all
the emails and attempt to summarize them, highlighting the
commonalities and differences.

I propose that we create an "open letter" to everyone who discloses
vulnerabilities.  We could highlight what the problems are, and
propose some basic guidelines for both discoverers and vendors.  I've
been thinking of the concept as "responsible disclosure."  This open
letter doesn't necessarily have to go through as many revisions as the
CyberCrime treaty statement, and we don't have to make this a
statement from the Editorial Board.

A coordinated announcement from well-known full-disclosure *and*
"other-disclosure" advocates, with wide distribution across the
*Bugtraq mailing lists and "media outlets," could go a long way
towards addressing some of the problem.  If the participants/signers
wish to tie this in with the upcoming vulnerability summit, then I
could act as liaison for that summit.

Here's my first draft.  Comments from all sides of the fence are
welcome and strongly encouraged.  Board members have been challenged
to offer solutions, so here's a chance for many high-impact people to
do so.


The Situation
-------------

- Security vulnerabilities appear in a large percentage of computer
  software.  Therefore they are a universal problem across the IT
  industry.

- As the number of reported vulnerabilities has increased, the
  technical quality of those reports has decreased.

- Some disclosers have motives besides improving the overall state of
  security.  This in turn affects how the discloser interacts with the
  vendor, and how the discloser publicizes the problem.

- Some vendors are either unwilling, or unable, to publicly disclose
  that vulnerabilities in their products have been detected.

- At least half of all reported vulnerabilities are announced before a
  fix is available.

- The resulting "noise" makes it difficult for system administrators,
  vendors, and security personnel to get good enough information to
  improve the overall state of IT security.

- Previous efforts at providing high-level guidance have not reached
  the level of awareness and adherence to mitigate these problems [I'm
  thinking here mostly of RFP's disclosure policy].


Proposed "Best Practices"
-------------------------

We can probably agree that:

- Disclosers should work with the vendor to ensure that a fix is
  available before announcing the vulnerability [but what should the
  discloser do if the vendor doesn't cooperate?]

- Disclosers should involve a neutral third party in communications
  with the vendor.  That third party can serve as a mediator and an
  objective witness to activities that take place.

- Disclosers should produce an accurate, clear report.

Many of us might agree that:

- Vendors should be clear in notifying their customers - and security
  personnel who may "represent" those customers - as to: (a) their
  level of awareness of well-publicized vulnerability reports; (b)
  *precisely* which vulnerabilities they are aware of; and (c) whether
  patches are available.

- Disclosers and vendors should use commonly accepted references for
  specifically identifying which vulnerabilities are being disclosed
  (e.g. *Bugtraq posts, Bugtraq ID and/or CVE candidate number, etc.).
  [While this may appear self-serving, I find time and time again that
  it is extremely difficult to distinguish between vulnerability
  reports from different sources without a common reference.]

- If the discloser has acted responsibly, then the vendor should
  properly provide credit to the discloser.


"Best Practices" Support Mechanisms
-----------------------------------

Some mechanisms that may support some of these "best practices" are:

- Disclosers could use vulnerability reporting services to interface
  with vendors and to have a neutral third party to mediate.

- A trusted third party could provide a mechanism for hashing and
  time-stamping a vulnerability report to encourage some disclosers to
  delay reporting a vulnerability publicly until a patch is available.

- Extensions should be made to existing vulnerability databases, or a
  separate database should be created, which tracks vendor and
  discloser "status" for the reported item.  [E.g.: did the discloser
  use a service and/or follow a documented "best practice" to disclose
  the vulnerability; did the vendor use "best practice" to respond to
  it.  This data, in turn, could be used to apply pressure to those
  who aren't acting responsibly.]

Problems that are not resolved by this approach include:

- Disclosers with purely malicious intent, or who disclose
  vulnerabilities only for name recognition or "fame," will not follow
  guidance for responsible disclosure.  Disclosure "Time-stamping"
  might be sufficient for those who seek name recognition.

- How to deal with vendors who refuse to disclose or acknowledge any
  vulnerability information?

- If someone does not perform responsible disclosure, but they are
  strongly criticized by others, then it may force their information
  underground.



- Steve

Page Last Updated or Reviewed: May 22, 2007