Saturday, June 24, 2006

On bug disclosure and contact with vendors

After reading HDM's blog entry on interaction with MS on one of the recent bugs, I guess I should drop my 2c's worth of opinion into the bowl regarding bug disclosure:

So sometimes I get the urge to find bugs. Then I go out and sometimes I find bugs. Then I usually feel quite happy and sometimes I even write an exploit. I do all this out of personal enjoyment -- I like bugs. I like having to play carambolage billard to get an exploit to work (meaning having to bounce things off of each other in weird angles to get stuff to work). Now, of course, once I am done I have several options on what to do with a bug.
  1. Report it to the vendor. This would imply the following steps, all of which take up time and effort better spent on doing something interesting:
    1. Send mail to their secure@ address, requesting an encryption key. I think it is amusing that some vendors like to call security researchers irresponsible when the default channel for reporting vulnerabilities is unencrypted. That is about as irresponsible as the researchers talking about vulnerabilities on EFNET.
    2. Get the encryption key. Spend time writing a description. Send the description, possibly with a PoC.
    3. MSRC is a quite skilled bunch, but with almost any other software vendor, a huge back and forth begins now where one has to spend time explaining things to the other side. This involves writing boring things explaining boring concepts etc.
  2. Sell it to somebody who pays for vulnerabilities. While this will imply the same lengthy process as mentioned above, at least one can in theory get paid for it. Personally, I wouldn't sell bugs, but that could have several reasons:
    1. I am old and lame and can't find bugs that are good enough any more
    2. The few bugs that I find are too close to my heart to sell -- each good bug and each good exploit has a story, and I am not so broke that I'd need to sell something that I consider inherently beautiful
    3. I don't know the people buying these things. I don't know what they'd do with it. I wouldn't give my dog to a total stranger either.
  3. Keep it. Perhabs on a shelf, or in a frame. This implies zero effort on my side. It also gives me the joy of being able to look at it on my wall and think fondly of the story that it belonged to.
So in case of 1), after having spent weeks on a bug, I have to spend more time doing something unenjoyable, and get a warm handshake with the words 'thanks for helping secure (the internet/the world/our revenue stream'.
In case 2), I get a warm handshake, some money, and a feeling of guilt for having given my dog to a total stranger.
In case 3), I have something to look at with fond memories and have to invest no time at all into things that I don't find interesting.

What would be your choice ?


BuschnicK said...

My choice?
4) Irresponsibly publish it on some bulletin board or newsgroup, get some fame, get lots of trouble, put the vendor under pressure fixing the thing.

Will probably never happen since I mostly find bugs in my own software which I will most certainly _not_ publish ;-)



Drew Hintz said...

Here's HD's post that Halvar was probably referring to:

Paolo Palumbo said...

I would say #1, as it keeps the conscience free and at the same time boosts the ego... :P