Bug reporting could be a hot topic at Black Hat
June zero-day leads to 'radical' changes in disclosure landscape
Computerworld - How researchers report vulnerabilities -- and how companies react to those reports -- may be one of the briskest topics at this week's Black Hat security conference.
The debate isn't new -- researchers and vendors have quarreled over bug reporting philosophies for as long as the former have found bugs in the latter's software -- but the subject kicked into a higher gear last month.
That was when Tavis Ormandy, a security researcher employed by Google, went public with a critical Windows bug just five days after reporting it to Microsoft. Ormandy said he disclosed the vulnerability when the company wouldn't commit to a patching deadline; Microsoft has disputed that, claiming that it only told Ormandy it would need the rest of that week to decide.
Whether it was a breakdown in communications between the two parties or a misunderstanding, Ormandy's publication of attack code for a Windows XP vulnerability -- since patched by Microsoft -- unleashed a heated debate.
Some security researchers criticized Ormandy for taking the bug public, while others rose to his defense, blasting both Microsoft and the press -- including Computerworld -- for linking Ormandy to his employer.
"The upsetting trend, which I imagine has been keeping security companies playing along with Microsoft's silly game, is for Microsoft to call into question the ethics of the reporter, and even if that reporter was acting independently, tying that question of ethics to the reporter's employer," wrote researcher Brad Spengler in an epistle to the Dailydave security mailing list.
Spengler later declined to be interviewed by Computerworld.
But his post was influential: It was widely circulated among security researchers and rekindled the conversation about the Ormandy-Microsoft incident, as well as the larger conversation about when and how bug finders report their discoveries, and how vendors react to those reports.
For years, the debate has been between two concepts: "full disclosure" and "responsible disclosure."
In the former, researchers release information about a vulnerability when they see fit, or after a vendor balks at or delays a patch. The logic: When a bug goes public, companies fix flaws faster under the pressure, which may include the fact that the publication of the flaw has led to actual attacks.
"It's been shown that vendors can move much quicker when there's an exploitation in the wild," said Dino Dai Zovi, a security researcher who will be presenting Thursday at Black Hat.
Responsible disclosure, on the other hand, holds researchers on a tighter rein. Under that philosophy, a researcher privately reports a bug to the software maker -- or to some other organization that reports the vulnerability for them -- then waits for the developer to patch it before publishing details and exploit proof-of-concept code.
- Secretive group seeks recruits at Defcon, finds skepticism
- Hacker snoops on GSM cell phones in demo
- Free Android apps scrape personal data, send it to China
- U.S. should seek world cooperation on cyber conflict, says ex-CIA director
- 'Unhackable' Android can be hacked, Black Hat researchers say
- Update: ATM hack gives cash on demand
- BitBlaze tool boosts bug-hunting productivity 10-fold
- Apple patches Safari ahead of Black Hat talk, launches add-on gallery
- Black Hat: Most browsers can be made to give up personal data
- AT&T: We don't intend to stop Black Hat demo
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts