[Infowarrior] - Mozilla: Hackers control bug disclosure

Sun Mar 25 03:59:21 UTC 2007

Mozilla: Hackers control bug disclosure

By Joris Evers
http://news.com.com/Mozilla+Hackers+control+bug+disclosure/2100-1002_3-61702
19.html

Story last modified Sat Mar 24 13:39:00 PDT 2007

WASHINGTON, DC--Software makers are at the mercy of bug hunters when it
comes to flaw disclosure, Mozilla's security chief said Saturday.

The software industry for years has pushed guidelines for vulnerability
disclosure. Those "responsible disclosure" efforts have had some effect, but
security researchers maintain control over the process, Mozilla security
chief Window Snyder said in a panel discussion at the ShmooCon hacker event
here.

"The researcher has all the power," Snyder said. "They control when they
disclose it, and they control the idea whether or not the vendor responds in
time."

Releasing vulnerability details has been hot topic for years. The software
industry advocates private disclosure of a bug and time to fix it before a
researcher goes public, a practice the industry calls responsible
disclosure. After all, early release could help criminals to launch
cyberattacks and damage a vendor's reputation.

Security researchers who follow the industry's guidelines are often
frustrated by a lack of response from software makers. Another frequent
point of criticism is the time it takes for a fix to be released and for the
researcher to get credit in a security alert.

"Vendors have a real responsibility to respond to what's reported to them,"
said Snyder, who previously worked at Microsoft.

But not everyone buys into responsible disclosure. It is a trap set by
software makers, said panel member Dave Aitel, of security software firm
Immunity. "Responsible disclosure is a marketing term," he said.
"Responsible disclosure plays into the hands of Microsoft and other big
vendors...they are trying to control the process."

Instead of disclosing a flaw to the vendor, Aitel wants bug hunters to sell
vulnerability information to him. Immunity pays bug hunters for details on
security vulnerabilities and uses those in his company's products, which
include penetration-testing tools that can be used to break into computers
and networks.

Chris Wysopal, CTO and founder of security review company Veracode,
disagreed that bug hunters are always in charge. "We see a lot of threats,"
he said. "Being on the receiving end of legal threats isn't an easy thing."

If a company unleashes its legal wrath onto a security researcher, then
that's an example of a company that doesn't know what it is doing, said
Rohit Dhamankar, manager of security research at TippingPoint, a seller of
intrusion prevention products.

"There are sophisticated vendors like Mozilla and Microsoft, and there are
vendors who have no clue about good process," Dhamankar said. TippingPoint,
which also pays security researchers for bugs, was threatened with a lawsuit
recently by a Web portal software maker, he said.

To gain a competitive advantage over rivals, companies such as Immunity and
TippingPoint pay bug hunters for flaws. By purchasing bug information, their
products can detect problems before any other product can and before an
official patch is available.

Ultimately, flaws don't get fixed without public disclosure, Wysopal said.
"The responsible thing is to send it to the vendor, but then you get stuck
with the vendor not doing anything about it if there isn't the threat that
it will be publicly disclosed," he said. "Public disclosure is the only way
to actually get things fixed."

Mozilla's Snyder said 30 days is a good timeframe to give a software maker
to come up with a fix and called on bug hunters to follow responsible
disclosure guidelines.

"I appreciate the work that's going on and I appreciate a little heads up
before the whole world finds out (about a security vulnerability)...I would
appreciate 30 days, but I will take what I can get."