Wednesday, January 10, 2007

Disclosure 2.0

Recently I’ve been discussing how vulnerability discovery is more important than disclosure. And also how website owners are going to have to deal with the disclosure whether they like it or not. Scott Berinato’s (CSO), The Chilling Effect, just posted a very well-written article describing the current web security environment and where we’re heading. Definitely worth the read and RSnake has posted his comments.

From the experts:

Dr. Pascal Meunier (Professor, Purdue University)

“He ceased using disclosure as a teaching opportunity as well. Meunier wrote a five-point don't-ask-don't-tell plan he intended to give to cs390s students at the beginning of each semester. If they found a Web vulnerability, no matter how serious or threatening, Meunier wrote, he didn't want to hear about it.”

Rsnake ( and

“RSnake doesn't think responsible disclosure, even if it were somehow developed for Web vulnerabilities (and we've already seen how hard that will be, technically), can work.”

Jeremiah Grossman (CTO, WhiteHat Security)

"Logistically, there's no way to disclose this stuff to all the interested parties," Grossman says. "I used to think it was my moral professional duty to report every vulnerability, but it would take up my whole day."

Chris Wysopal (CTO, VeriCode)

“… responsible disclosure guidelines, ones he helped develop, "don't apply at all with Web vulnerabilities."

Jennifer Granick (Stanford's Center for Internet and Society)

“Granick would like to see a rule established that states it's not illegal to report truthful information about a website vulnerability, when that information is gleaned from taking the steps necessary to find the vulnerability, in other words, benevolently exploiting it.”


Unknown said...

After reading "The Chilling Effect" blog entry, I can say that situation is going to get much worse. Pursuit of "whitehat" hackers who take the time to disclose bugs to the vendor will in my opinion lead to three things.

First people will not report security issues leaving software vulnerable to attack and you can be certain that what one hacker found another, perhaps with no scruples will find soon enough. This means more vulnerable software all around.

Secondly, we are going to see far more MOAX type of disclosures that by putting all the information without notice online the hacker makes everyone a suspect, especially if proofs of concept are being provided. My prediction would be that 2007 would be the year of 0-day exploits.

Finally, I suspect that at least certain portion of white/grey hat folks will turn blackhat selling their discoveries. After disenchantment with the way they are being treated by software vendors.

Anonymous said...

The difficulty here is that "the software" isn't a monolithic piece of code owned by one clearly defined vendor. So many web sites rely on homegrown scripts, server-side config files and what not that a pen tester would be hard-pressed to find whom to contact. Many times, it's not an application that is vulnerable, but a n entire web site.

This is why IMHO a model like bugtraq isn't adapted to web application vulnerabilities.

I am not sure there is a solution - or at least if there is, it isn't an easy one. Maybe a pull model where a legitimate web site owner could register his/her web site and be informed on a case-by-case basis that his/her web site is vulnerable, without disclosing this to massive audiences?

Anonymous said...

You can't give people clues. They won't know what to do with them.

If you sell clues, people will think you are trying to extort them.

Smart good guys will keep their mouths closed (leaving the bad guys to 'have fun' on poorly coded websites).

Example (yes, it doesn't get much worse than this, but it happens too often): upon going to a website one casually glances at the URL and notices that the SQL query is in the URL itself. Does it matter if you tell the programmers of the site?

While you may be able to explain the vulnerability to them, what makes you think that they would be capable of creating a 'secure' webapp if they make a mistake that a moderately bright sixth grader could find?

If the people who make rudimentary mistakes do not hire someone with competence, all they will do is substitute one mistake for another.

The fact of the matter is that most people can't afford Jeremiah anyway (I would assume he charges large sums for his services, and I am certain he is worth every penny of the fee if you can afford it).


Jeremiah Grossman said...

Thank you for that. My rates, or WhiteHat's rates rather, are reasonable, but not certainly not cheap. Cleary this market is going to have to bring the price down to be able to include the general masses.