Flaw finders to software makers: It's payback time

In recent years, software companies have hammered out rules with researchers on disclosure, which cover how and when vulnerabilities are made public. Now flaw finders want something in return: more information from software providers on what they are doing to tackle the holes the researchers have reported.

"We have gone from the old 'full disclosure' to 'responsible disclosure' debate, to a debate over 'The vendor has the information--what does it do with it?'" said Steven Lipner, senior director for security engineering strategy at Microsoft.

Software vendors need to establish protocols for interacting with researchers who share bug information, experts said. If they don't, they could risk losing the progress that has been made towards responsible disclosure of flaws.

Many bug hunters now understand and follow the "responsible disclosure" guidelines advocated by software companies. Under this approach, a researcher who uncovers a flaw will, as a first step, contact the maker of the affected software and share details of the vulnerability.

In the past, researchers tended to favor full disclosure, in which they would publish details of security flaws they had found on mailing lists or on security Web sites, regardless of whether a fix was available.

However, companies want to keep bug details under wraps at least until a patch is ready. They argue that with a patch, users of the flawed software can plug the hole and protect themselves against possible attacks. By contrast, with full disclosure vendors are sent scrambling to fix a flaw, while customers are exposed.

"The tension has always been the same," said Gartner analyst Paul Proctor, who moderated a panel discussion on disclosure at the recent Black Hat security conference. "Researchers want the vendors to be more aggressive, and the vendors want the researchers to show more discretion. While they both have the same goal of a more secure Internet, their perspectives are different."

Brick wall
While many researchers now follow responsible disclosure practice, some feel that their conscientiousness is not being reciprocated. In many cases, the say, they run into a brick wall or get a limited response at the software maker, which pays them little respect for their work.

"There is nothing more frustrating then trying to help a vendor secure its product in good faith and not getting decent communication back in return," said Terri Forslof, security response manager at TippingPoint, which sells intrusion prevention systems. Forslof is responsible for sharing flaw details with vendors through TippingPoint's Zero Day Initiative bug bounty program. Others agree: Her comments echo the sentiments expressed by many researchers at the Black Hat panel discussion.

There is a simple recipe for satisfying flaw finders, Forslof said. A company should acknowledge the issue; provide ongoing information on the status of a fix; and be open with the researcher about the processes involved in producing an update.

"An open line of communication is essential," said Michael Sutton, one of the Black Hat panelists and director of VeriSign's iDefense, which deals with software makers and vulnerability researchers. "It is the vendor's responsibility to proactively update the researcher on a regular basis on the progress that is being made in patching the issue."

Much progress has been made, and security researchers and software makers are working better together today than ever before, said Proctor. However, many companies need better processes for dealing with bug hunters, he said.

"I would like to see the growth of aggressive, formalized programs to work with researchers who find vulnerabilities," Proctor said.

Flaw finders who contact software vendors are typically well-intended security professionals, or enthusiasts who like to test the vulnerability of software. Several companies, including TippingPoint and iDefense, pay researchers for flaws they find and use the information in products to protect their clients' systems.

Adverse effect?
But complying with researchers' request for more information is not that easy, John Stewart, chief security officer at Cisco Systems, said during the Black Hat discussion. Acknowledging a potential flaw might have an adverse effect on security, he said.

"We can create undue attention onto something that might hurt our customers," Stewart said. "If we know, to the best of our knowledge, that there is a weakness in our product, we're attempting not to draw further attention to it."

Companies all operate differently when it comes to dealing with bug hunters. Microsoft has set a good example, accepting that it needs to work with the security community, Proctor said. "Cisco is moving from anger to acceptance, and Oracle from denial to anger," he said.

Cisco has worked hard to get into the good graces of the hacker community. It threw a party at a Las Vegas nightclub for Black Hat attendees and sent senior security staff to the event. That's in contrast to the previous year, when the networking giant sued a security researcher and alienated itself from the community to the extent that T-shirts with anti-Cisco slogans sold well at the Defcon hacker event that follows Black Hat.

Oracle appears to be easing up a little on the security front. Its chief security officer is now blogging, and the enterprise software company is talking to the press about security topics. However, it is still often critiqued for its unwillingness to deal openly with researchers.

Without communication, vendors risk losing the progress made toward responsible disclosure. Turned off by a cold response, bug hunters increasingly put pressure on software companies and go public with flaws, instead of going the responsible route, said Tom Ferris, an independent security researcher in Cupertino, Calif.

"I see more researchers not work closely with vendors and just giving them a 30-day grace period before going public with the flaws," Ferris said.