Wednesday, January 03, 2007

Disclosure: Ready or Not

You know the drill: A security researcher finds a vulnerability, then discloses it to a mailing list (zero-day) or “responsibly” to a software vendor like Microsoft/Oracle/Apple etc. for patch creation. Over the last decade we’ve endured endless “disclosure” debates regarding ethics, the common good, alerting the press, legalities, and so forth. Through a long and painstaking process, and in whatever your personal view on disclosure, we can probably all agree that an active dialog between researcher and software vendor has thankfully been established. Yet, as we step deeper in to a Web 2.0 world, the same process with the lessons learned, will have to be repeated - this time between researcher and website owner.

Clearly Google, Yahoo, MySpace, Netflix, and many others already know it. And, check out these threads on the to view the hundreds of other websites feeling the disclosure heat. The difference is these are web businesses. And, the thousands of others like them from Amazon to Zappos (listed by Alexa) are not traditional software vendors selling shrink-wrapped CD’s. They’re businesses that just happen to write software fueling their own web-based business. And, it should come as no surprise that most will be unfamiliar with InfoSec community collaboration and the finer points of vulnerability disclosure. To them, this stuff is very new.

For the rest of us who’ve been around a little while, we understand the vast majority of websites have serious vulnerabilities. We know the bad guys are hunting for them and obviously won’t be disclosing they’re findings. This leaves us with the “good guy” researchers who disclose issues openly so they can be dealt with. All of this leads to the point where website owners will have to deal with disclosure, not because they want to, but because they’ll have to. So, it's probably safe to say most do not have a process in place for when a researcher contacts them, or when the reporters call, or the concerned customer inquiries after that. Heck, for that matter, they’re unlikely to even have a security@don’ disclosure email addresses.

To be fair, it takes the executive staff of a web business some time to adjust when they first hear about a stranger emailing to inform them that their web business is in jeopardy because they’ve got something they’ve never heard of called Cross-Site Scripting (or some other confusing jargon). It’s understandably hard for them to see the researcher as anything but a threat, just as it was for the software vendors in year's past. And even today the relationship is a rocky one. And, let's face it, security researchers can be an eccentric bunch to work with to put it politely. We'll all have to work together, again.

1 comment:

Anonymous said...

it's a personal dream of mine to report a finding to an administrator over Gabbly