Wednesday, September 27, 2006

When disclosure roles are reversed

Update: Another well written industry insider view point on the incident(s), 3 Rules of Incident Response for Public Affairs. Don't mind the silly alert pop-up.

Kelly Jackson Higgins (Dark Reading) posted a nice follow up to all the XSS disclosures going on, particularly ones within the websites of security companies. According the story both Acunetix and F5 denied they had any XSS issues. Fair enough, but as anyone could have predicted, the disagreement between the posters on and the vendors is bound to cause more activity, and indeed it already has. Its not like they can’t just look for more. For myself I'm not so much interested in this specific case, but more from a larger industry perspective.

I’ve said many times, no matter who you are or what you do, an incidents happen to everybody sooner or later. For security vendors, which I am, one of the last things you want is someone publicly disclosing vulnerabilities in your website. Especially when the issue is something you’re supposed to be able to protect against with your product or service. At that point the most important thing is how you go about handling the situation.

If the issue really did exist

You could take the approach of quietly fixing the vulnerability then denying the issue existed should anyone ask. Web application security vulnerabilities are difficult to verify after the fact. The problem with this approach is that it runs the risk of annoying the hacker types by not acknowledging the issue. They may take this as an opportunity to embarrass you further should they find something else you may have missed. I think we’d all prefer not become a continuing target.


Come clean. Acknowledge there was a problem and that it was swiftly resolved. Provide some verbiage as to what changes are being made to make sure it never happens again. You could also supply a security contact email address should anyone find something else in the future. This approach shows honestly, integrity, and willingness to improve upon due diligence. Not only do you take the current matter off the table, you’re providing a private channel of communication before a situation becomes public.


Blame the company hosting your website!

If the issue really didn’t exist

State clearly why you don’t think the vulnerability existed. In a non-defensive manner, ask for more information from the person in a private setting. They’ll appreciate the care and any conversation can be kept in confidence. Explain to whomever is interested that your looking into the matter and will promptly resolve any problems that surface.

My Advice

One way or the other we ALL better get used to dealing with vulnerability disclosure in our websites. Whoever we happen to work for won't matter. My advice is take the matter seriously and act with due care. Don’t fall into the trap of denial, work productively with the person disclosing, and get ahead of the issue by clearly stating what your doing about it. You’ll be better off.

No comments: