Tuesday, November 20, 2007

PayPal’s Vulnerability Disclosure Policy includes researcher protection

Update: 11.28.2007: Security Retentive, a PayPal employee who was personally involved with crafting the language of their disclosure policy, responds to public comments.

Update 11.21.2007:
Kelly Jackson Higgins posted a story covering the post.

Very few website owners post how security researchers may contact them with regard to a discovered vulnerability. This seems odd since most experts believe the vast majority of website contain them. Microsoft, Yahoo, Google, and now Paypal have their contact policies posted. The rest of the Alexa 500, if they have a posted policy, is extremely hard to find.

PayPal’s newly posted vulnerability disclosure policy though should be given special attention because they’ve done something unique in that and in my opinion very intelligent security-wise. If the security research follows their stated procedure, which is entirely reasonable, PayPal states plainly that they’ll not engage legal action! This should given the researcher confidence that nothing bad is going to happen to them as a result. I think this is first, and if not, I’ve never seen it.

“To encourage responsible disclosure, we commit that – if we conclude that a disclosure respects and meets all the guidelines outlined below - we will not bring a private action or refer a matter for public inquiry.”

This indicates that PayPal understands that security researchers are the good guys, but they are wary of disclosing website vulnerabilities to them for fear of legal issues. As a result researchers may choose to either not disclosure AT ALL or anonymously post it to a public forum like has been done so many times on sla.ckers.org. This way they are personally protected, but the problem is that this puts PayPal and their customers in a bad position.

PayPal either doesn’t get the vulnerability data they need at all, waiting for a bad guy to find the exact same thing and exploit it – or they have to do fire drill once it’s made public. And they might not see it published right away causing a time lag. PayPal would much prefer the opportunity to handle the issue in a timely fashion and has no interest in pursuing the matter further because there is really no benefit to it. Legal entanglements only prevent the good guys from being responsible and don’t deter the real bad guys one bit. And PayPal would know given the nature of the business.

PayPal sets a good example, hopefully other website owners will take notice and do the same.


Anonymous said...

I agree this is a giant leap in the right direction.

Too bad "...all the guidelines outlined below." contain holes they can drive a MAC Truck through.

"Allow us reasonable time to respond to the issue before disclosing it publicly."

So basically they can decide that any time period (6mo, 1yr, 2yr) wasn't reasonable and "cya in court".

Jeremiah Grossman said...

For many organizations out there I can certainly agree with the skepticism, but not for PayPal IMHO. First though PayPal has no way of knowing how long a particular fix will take so it makes sense for them not to commit to a hard time limit so they must keep the language a little vague. From personal experience and witnessing disclosures from others, PayPal is really on top of things and fixed within days. I'd give them the benefit of the doubt.

Anonymous said...

I'm not sure if it will be useful in the future, but I have posted several SHA values of the statement on my site.

Go forth and do good things,
Don C. Weber

Jeremiah Grossman said...

A healthy level of skepticism is appropriate. While I would expect PayPals policy to be refined from time to time, I believe their interests are in alignment with the general security researcher.

Andy Steingruebl said...

I have posted some commentary on the policy here:


I helped write the policy so hopefully my post will be useful.

Anonymous said...

Thanks Security Retentive.

Anonymous said...

worth reading. thanks