On May 19, 2011, High-Tech Bridge (HTBridge) was added to the Errata Charlatans page. At the time, there were four articles that were used as evidence of our opinion that their work in security qualified them for this title. The information was primarily gathered by Jericho, with some additional assistance from Errata staff. Two of the four articles centered around their vulnerability research, made public in the form of security vulnerability advisories. Two of the articles centered around published claims found on the HTBridge web site.
In June, 2011, Frédéric Bourla, their "Head of Ethical Hacking Department" (now "Chief Security Specialist"), mailed Jericho with a list of points, counter claims, and errors he saw in our published material. During the exchange of almost a dozen emails, Jericho made several revisions to the published articles in light of new information, or reaching an understanding on other points that were in dispute. This lead to material not only being revised, but some portions of two articles to be removed. After a short while, the emails became unproductive and discussion stopped.
In April, 2012, Jericho received an email from Johan Droz, Procureur Sct I, Ministère public, informing him that HTBridge had filed charges for 'criminal defamation'. Apparently, the complaint was filed against 'Jericho' and 'attrition.org', and did not include the real name of any staff member. We say "apparently", because the Swiss prosectuor refused to share more than the first page of the complaint, which did not mention who the charges were against at all. As of September 16, 2012, we still have not seen a copy of the complaint against us.
On September 5, 2012, the CEO of HTBridge mailed Jericho to discuss their Errata page further. Over the course of 12 days and 20 mails, Ilia and Jericho discussed the pages in depth. The focus of the conversation from Ilia's side was of course to determine if the pages could be removed, but more importantly to better explain what lead to the perceived failures that led to the page being created. Jericho's replies were centered on eliciting additional information, Ilia's perspective, and examples of how HTBridge has reacted to the feedback in order to improve over the last year.
The original Errata page on HTBridge included two pages covering their advisories, vulnerability disclosure, and the visible process behind each. A third page questioned the expertise of their technical staff and their "proprietary research lab". The fourth page included general observations about the company and management, based on information available via their web page. The first three pages were technical assessments and observations based on a portion of their security advisories and must be addressed here. The fourth page was subjective opinion based on Errata staff, who have worked in the information security field professionally since 1996. As such, that page alone would not have merited inclusion if it was the only issue. In determining if the pages should be removed, we only re-examined the first three in the context of what HTBridge has done since their publication to address the issues outlined.
|Original Complaint (Summary)||Comments & Updates|
|The HTBridge claim of the 1 million Swiss franc infusion supporting a "proprietary research lab" (via a press release), as compared to the output of the R&D team via public security advisories. At the time, over 50% of their findings were pedestrian XSS, with 122 SQL injections (many were not fully demonstrated), and only 6 remote command execution issues (a few more counting RFI). Around 99% of the vulnerabilities disclosed would be found by a commercial web application scanner at the time.||HTBridge provided additional details about how the money was spent, that better explains the correlation to previous criticism. That the software chosen was specifically done to test in-house software being developed, and did not represent their consultant auditing process. HTB also recognized and regrets that some of their previous public disclosures could cause confusion. As a result, the company now has a strict internal quality assurance program for all public advisories. The HTB CEO took our critique very seriously and got involved in the advisory process personally, to ensure a higher standard was achieved including updates to their disclosure policy.|
|At the time, their advisories broke down to 22% high risk, 52% medium risk, and 26% low risk for the severity of the issues. Our page noted that their risk ratings seemed arbitrary, as similar issues would have very different ratings, but no qualifications or technical notes that would explain the scoring choice. We further noted that since they did not provide expanded CVSS notation that showed how they reached their scores, it was difficult to understand their reasoning.||The HTBridge CEO responds that all advisories are now scored using CVSS, and the full notation is included on advisories with published details. This includes both new advisories, as well as an overhaul of previously published advisories so they all meet the current standards.|
|The HTBridge disclosure policy included procedures that were questionable, such as giving vendors two weeks to fix vulnerabilities before disclosing, while calling it an "ethical" disclosure. In at least one case, HTBridge prematurely sent out an advisory giving the vendor less than one day to fix an issue. In other cases, they opted to release details despite a vendor having a clearly defined patch release schedule (e.g. Microsoft Patch Tuesday each month).||The HTBridge CEO has provided several points that demonstrate their advisory publishing program has matured significantly. The entire procedure of communications with vendors was completely revised and improved. The CEO notes, "As a result, in Q2 2012 92% of vendors fixed vulnerabilities discovered by HTB in their products."|
|There was significant evidence that HTBridge staff tested vendor web sites to find vulnerabilities, which is often done by less than ethical (or lazy) researchers that do not realize that such testing may be illegal.||The HTBridge CEO notes that live demos are no longer tested, even if the vendor gives explicit permission.|
|The most serious issue we outlined was that HTBridge's R&D group appeared to miss a lot of vulnerabilities in their auditing, including some very serious issues. If an auditor missed high-risk issues during an audit, then s/he poses a risk to your organization as the company feels that the presence of the auditor reflects that all issues would be found, within reason. Such mistakes may also demonstrate a fundamental flaw in the team's assessment methodology that could impact every employee trained to use it.||After discussion with the CEO, it was determined that such omissions were also a "side effect" of their in-house product security testing, and not performing a manual audit of the software. The fact that some vulnerabilities were missed was recognized by HTB, who then added a clear statement to their disclosure policy about limitations of their advisories, and that they do not represent their commercial service offering. HTB assumes full responsibility for not making this point clear before sending the advisories to the Bugtraq mail list in the past.|
|We originally published a table outlining a long list of errata in HTBridge's published security advisories. The issues included vulnerabilities being previously disclosed by other parties, noting discontinued products that would not be fixed (i.e. HTB did not), indicating some "vulnerabilities" that were a known byproduct of a given function (e.g. admin ability to edit a page to include script code), clarifying that specific credentials must be used to gain access to the vulnerable function, the requirement of specific configuration options for the vulnerability to manifest (e.g. magic_quotes_gpc off), and more.||HTB made significant revisions to all public advisories to address the issues we published. In the cases where a vulnerability had been previously discovered, proper credit to the original researcher was added despite HTB discovering the same issue independently. The new advisory process now includes steps to help avoid this moving forward; HTB is now CVE compatible, and their team searches multiple databases to determine if an issue has been made public already.|
Based on the extensive mails between the HTBridge CEO and Jericho, we believe that HTBridge has made a considerable effort to improve their security advisory process. The CEO was very open in providing explanations of the company's previous shortcomings, and repeatedly took full responsibility for not properly managing the process. The Errata team feels that their desire to improve and recent changes demonstrate that they are on the right path, intend to provide the best possible service to their clients, and are mindful of the public perception that may influence the security community and perspective customers. As a result, HTBridge is being removed from the Charlatan page. This article was created so that both HTBridge and the security community have a documented account of the events surrounding their initial inclusion on the Errata pages.
In the interest of full disclosure to Errata readers, there were several things offered by the HTBridge CEO early in the conversations, that may be considered by some to be extra incentive to remove the pages, even if the merit described above could not be established. First, HTBridge originally contacted the Open Security Foundation, and offered to sponsor the OSVDB project, of which Jericho is a long time contributor and content lead. Second, the initial mail from HTBridge to Jericho also offered to have him join the HTBridge Advisory Board (non-compensated position). Third, during the discussion, the CEO indicated that if some material could be revised or removed, or the entire page removed, HTBridge would withdraw the criminal charges filed against Jericho. Because of these three offers, this page was written to replace the content to fully explain our decision in doing so, rather than silently removing them without explanation.
Regarding the OSF sponsorship, all communication was handled by a different project leader of OSVDB. It was made absolutely clear several times that any sponsorship of the project had absolutely no bearing on Jericho's work on another project. The offer to join the Advisory Board was turned down by Jericho to avoid the potential conflict of interest, but a continuing offer to give feedback on advisories moving forward. With the legal filing, that could certainly be seen as incentive to remove the pages. However, to this date, we maintain the material published by attrition.org does not consitute defamation under U.S. or Swiss law. Attrition.org has a decidedly long history of not caving to legal threats, and should help establish that the current case, while annoying, is not grounds to arbitrarily give in and compromise our integrity.
The decision to remove or revise material on Errata is based on one thing only; what is fair. While the project is negative in nature, the overall goal is to improve the security industry. As Jericho outlined in his 2012 RVAsec and BlackHat talks, the project is designed to encourage people to act honorably and ethically. If a person or company fails to do that, they may end up on our page. More important than making mistakes is how the person or company responded to it. If actions were taken to ensure it did not happen again, an appropriate apology issued, and responsibility accepted, then continuing to publish negative material about them is not fair. With HTBridge, the decision to remove material and publish this page as an explanation was validated with outside counsel to ensure personal bias or perceived benefits did not unduly influence any decisions. Further, this is not the first time pages have been removed from Errata and the Charlatan pages. Our own history of removing and revising content demonstrates our motivation to ensure fair and accurate content is published.
While this story started out negative, with the publishing of details that painted HTBridge in a poor light, it ultimately demonstrates the positive aspect of the Errata project. By pointing out some shortcomings in their offerings, and ultimately publishing the Errata material, it helped HTBridge identify weaknesses in their public security offering, specifically their advisories. In bringing this to the CEO's attention, he was able to affect positive change in his company. This in turn led to better security advisories, establishing a more responsible disclosure policy, and helped demonstrate the importance of the security community's perception of a company. In the long run, Errata provided valuable feedback to HTBridge, which they have leveraged to improve their security advisories. That desire to improve is the most important aspect of this and shows integrity, something our industry needs more of.
- Errata Staff
Note: plagiarism is one exception to the policy of removal, as the plagiarized material is still available in some format (e.g. books primarily, cached content, etc.), and still infringes on the rights of the people they took material from. Publishing articles on plagiarism are entirely factual and do not represent cases where subjective or personal opinion enters, as is the case with articles on Charlatans at times.