[Infowarrior] - Flaw finders to software makers: It's payback time

[Richard Forno]

Flaw finders to software makers: It's payback time

By Joris Evers
http://news.com.com/Flaw+finders+to+software+makers+Its+payback+time/2100-10
02_3-6106593.html

Story last modified Thu Aug 17 05:02:45 PDT 2006

Bug hunters are turning the tables on software makers in the debate over
reporting flaws.

In recent years, software companies have hammered out rules with researchers
on disclosure, which cover how and when vulnerabilities are made public. Now
flaw finders want something in return: more information from software
providers on what they are doing to tackle the holes the researchers have
reported.

"We have gone from the old 'full disclosure' to 'responsible disclosure'
debate, to a debate over 'The vendor has the information--what does it do
with it?'" said Steven Lipner, senior director for security engineering
strategy at Microsoft.

Software vendors need to establish protocols for interacting with
researchers who share bug information, experts said. If they don't, they
could risk losing the progress that has been made towards responsible
disclosure of flaws.

Many bug hunters now understand and follow the "responsible disclosure"
guidelines advocated by software companies. Under this approach, a
researcher who uncovers a flaw will, as a first step, contact the maker of
the affected software and share details of the vulnerability.

In the past, researchers tended to favor full disclosure, in which they
would publish details of security flaws they had found on mailing lists or
on security Web sites, regardless of whether a fix was available.

However, companies want to keep bug details under wraps at least until a
patch is ready. They argue that with a patch, users of the flawed software
can plug the hole and protect themselves against possible attacks. By
contrast, with full disclosure vendors are sent scrambling to fix a flaw,
while customers are exposed.

"The tension has always been the same," said Gartner analyst Paul Proctor,
who moderated a panel discussion on disclosure at the recent Black Hat
security conference. "Researchers want the vendors to be more aggressive,
and the vendors want the researchers to show more discretion. While they
both have the same goal of a more secure Internet, their perspectives are
different."

Brick wall
While many researchers now follow responsible disclosure practice, some feel
that their conscientiousness is not being reciprocated. In many cases, the
say, they run into a brick wall or get a limited response at the software
maker, which pays them little respect for their work.

"There is nothing more frustrating then trying to help a vendor secure its
product in good faith and not getting decent communication back in return,"
said Terri Forslof, security response manager at TippingPoint, which sells
intrusion prevention systems. Forslof is responsible for sharing flaw
details with vendors through TippingPoint's Zero Day Initiative bug bounty
program. Others agree: Her comments echo the sentiments expressed by many
researchers at the Black Hat panel discussion

There is a simple recipe for satisfying flaw finders, Forslof said. A
company should acknowledge the issue; provide ongoing information on the
status of a fix; and be open with the researcher about the processes
involved in producing an update.

"An open line of communication is essential," said Michael Sutton, one of
the Black Hat panelists and director of VeriSign's iDefense, which deals
with software makers and vulnerability researchers. "It is the vendor's
responsibility to proactively update the researcher on a regular basis on
the progress that is being made in patching the issue."

Much progress has been made, and security researchers and software makers
are working better together today than ever before, said Proctor. However,
many companies need better processes for dealing with bug hunters, he said.

"I would like to see the growth of aggressive, formalized programs to work
with researchers who find vulnerabilities," Proctor said.

Flaw finders who contact software vendors are typically well-intended
security professionals, or enthusiasts who like to test the vulnerability of
software. Several companies, including TippingPoint and iDefense, pay
researchers for flaws they find and use the information in products to
protect their clients' systems.

Adverse effect?
But complying with researchers' request for more information is not that
easy, John Stewart, chief security officer at Cisco Systems, said during the
Black Hat discussion. Acknowledging a potential flaw might have an adverse
effect on security, he said.

"We can create undue attention onto something that might hurt our
customers," Stewart said. "If we know, to the best of our knowledge, that
there is a weakness in our product, we're attempting not to draw further
attention to it."

Companies all operate differently when it comes to dealing with bug hunters.
Microsoft has set a good example, accepting that it needs to work with the
security community, Proctor said. "Cisco is moving from anger to acceptance,
and Oracle from denial to anger," he said.

Cisco has worked hard to get into the good graces of the hacker community.
It threw a party at a Las Vegas nightclub for Black Hat attendees and sent
senior security staff to the event. That's in contrast to the previous year,
when the networking giant sued a security researcher and alienated itself
from the community to the extent that T-shirts with anti-Cisco slogans sold
well at the Defcon hacker event that follows Black Hat.

Oracle appears to be easing up a little on the security front. Its chief
security officer is now blogging, and the enterprise software company is
talking to the press about security topics. However, it is still often
critiqued for its unwillingness to deal openly with researchers.

Without communication, vendors risk losing the progress made toward
responsible disclosure. Turned off by a cold response, bug hunters
increasingly put pressure on software companies and go public with flaws,
instead of going the responsible route, said Tom Ferris, an independent
security researcher in Cupertino, Calif.

"I see more researchers not work closely with vendors and just giving them a
30-day grace period before going public with the flaws," Ferris said.