3.16.2010

Public disclosure? Why even bother?





Hello again,

This time I'm going to talk about proper disclosure. For those that don't know what's that, here it is: you test a product, you see that it has a bug, you exploit it and you write an email to the vendor to inform about it. You wait a few days, they work on a fix in the meantime, they release a fix and finally they thank you and we are all happy. This is in theory, but...
Real life is almost never like this. You can consider yourself lucky if you get a response from the vendor, or if something get's fixed. If indeed something get's fixed, it usually takes a few weeks (even months sometimes) and you'll certainly never get a simple thanks (from my experience, at least).
I remember a few years ago when I had some spare time, that I started poking around with a few high class .ro domain potential targets. All I did was just a few basic sql injections and a couple of cross-site scripting, but I found a few interesting vulnerabilities out there. I contacted the companies in order to inform about the problems, but nothing. I also stood still for a couple of weeks, and still nothing. After a month, I tried again, and the problems weren't there anymore (at least they've changed their codes).
When I've seen that they did repaired their vulnerabilities, I decided to try a little harder and see if something pops out. It did. I again tried to get in contact, but no response. After a while, they again changed their code, but I'm afraid to look again - who knows what I'll find again? Of course, still no contact.

From that point on, I decided that what i'm going to do is this: when i find a bug, i contact the vendor. From that point on, the vendor has exactly 1 week to respond or correct the bug. If by that time I get no response, I'll go public and disclose the vulnerability. I know that some of you will blame me for what I've written here, but let's face it: it's not right. You do find a vulnerability (you're doing in your free time what other people are payed to do), you contact the vendor, and you don't even get a response. It that fair? It's not fair to me, to you, or to the wasted time taken to find it. I know that there are some vulnerability issues that can be devastating for the public (see Kaminsky's DNS flaw back in 2008), but that's an exception that I'm going to make. The only thing that vendors are afraid of is bad publicity that they get if their code is hacked in broad daylight. Like it or not, that's the truth!
You say that maybe the vendor doesn't have time to answer? Come on! One week is enough for anyone. If they don't do it in a week, they will not do it in 2 or 3 weeks or ever. And please don't tell me that they have no time or programmers to fix the vulnerability, because nowadays everybody works in teams.
To be concise, write back in a week or fix your code in the same time frame or hope that i'll find the next Kaminsky bug, else i'm going public baby!
What's your policy on disclosing vulnerabilities?

UPDATE: It seems that there are others that don't care about their users and the vulnerabilities that can be exposed from their bogus software. Does Microsoft ring any bell? Check it out here! How about Apple? 20 vulnerabilities found with only 5 lines of code written in Python... this is pure blasphemy guys (story here).
Blame me all you want, but i'll stick with my 1 week policy !

PS: It seems that my 1 week period policy works good so far. Kaspersky Romania took 2 days to respond. More update on the Kasperky will follow. 

No comments:

Post a Comment