In today’s vulnerability market, vendors want to squeeze every ounce of publicity out of their security researchers. As a result, responsible disclosure often falls by the wayside.
The same is true of independent researchers in search of their 15 minutes of fame. A fatal flaw in a major product is akin to Kennedy’s dream of landing a man on the moon. You want to be first because there’s nothing special about second place.
In a digital world filled with named vulnerabilities, instant gratification and address books with more journalists than security contacts, it shouldn’t be a surprise that many have forgotten the importance of responsible (or coordinated) disclosure.
As a huge fan of responsible disclosure, I’m incredibly lucky to work for a company that shares my point of view. At Tripwire, we make every effort to work with vendors when we find a new vulnerability, just as we hope that security researchers will work with us if they find a vulnerability in one of our products.
We have a standardized three-step approach that we’ve shared in presentations before, but I think that it’s important to review key points now:
- Make a minimum of three attempts to contact the vendor (multiple email addresses, phone calls and web-based forms). Give the vendor at least 30 days to respond.
- Allow a responsive vendor a reasonable amount of time to resolve the vulnerability.
- Review vendor solutions if requested.
While I am using the term responsible disclosure (as it is the better-known term), I prefer the term ‘coordinated disclosure,’ and I think our policy reflects that. Our goal is to work closely with cooperative vendors to find a solution that benefits as many people as possible. It is always our hope that this is the path we can take.
Unfortunately, not all vendors are responsive or willing to fix a vulnerability. These vendors are the reason why full disclosure exists, why the security community will forever need the ability to “drop 0-day,” and why some refuse to even attempt coordinated disclosure. It’s these vendors that cause a moral dilemma for security researchers that believe in coordinated disclosure.
How long do you wait? How much information do you release? I like to think that, at Tripwire, we’ve done a good job of avoiding this moral dilemma, but our luck won’t last forever.
While there are pros and cons to both full and responsible disclosure, each individual needs to determine which list of pros beats the cons. At Tripwire, our initial pro-list always skews toward responsible disclosure but as more time passes and attempts at coordinated disclosure go unanswered, we see the pros shift toward full disclosure (let’s call this uncoordinated disclosure) so that end users are aware of unfixed issues.
Ultimately, while marketing and personal fame play a role, I’d like to believe that deep down inside every researcher, the ultimate goal is the safety and security of the end user.
When we feel that a vendor’s lack of responsiveness has started to jeopardize this safety and security – that the door has been left open too long and others may have found the same issue – that is when you’ll see Tripwire complete the disclosure process and perform an uncoordinated disclosure.