Sunday, November 15, 2009

Why are most researchers not a fan of standards on "responsible disclosure"

I usually try to stay away from the politics of vulnerability disclosure, mostly because I think (to paraphrase Feynman) that politics of vulnerability disclosure are as useful to the vulnerability researcher as ornithology is to birds.

But it seems that the entire discussion is not going away. The intensity of the reactions to k8em0's twitter post might be partially explained by the history of this all. I'll try to refresh what I remember:

A lot of the older vulnerability researchers remember the ghastly OIS attempt at forcing a standard written by a bunch of non-researchers down the throats of the research community. From the outside, it looked mostly like an attempt to kiss up to some vendors that were spending a lot of money on security review during that time.

I might be stepping on some people's toes, but to me it looked like a high-school class where the dimmest students drew up guidelines on how smart students "should" behave, and gave that to the teacher in order to earn brownie points - including clauses like 'not contradicting the teacher'.

Unfortunately, most of the research community prefers to do work instead of discussing with people that have little interesting to say about how the researchers should work. The result of this is that researchers were rarely ever involved in the entire discussion. Not for lack of opportunity, but mostly lack of interest -- if I can actually go and surf, why would I discuss with a bunch of people sitting in an office about the right way to come back to the beach ?

The entire discussion has always been somewhat phony. The entire "responsible/irresponsible" angle is sligthly fraudulent. The way I see it is the following:
  1. It is acceptable for AV companies to charge for signatures, which are in essence "information about malware"
  2. It is acceptable for AV companies to not publish, nor provide, malware to other parties, or to charge for it
  3. It is acceptable for software vendors to charge so I can use their software. It is also acceptable for them to charge more so that I can read their source code.
  4. Why again should a researcher be obliged to provide information to vendors free of charge again ?
  5. If anyone argues it's "responsible" to make everyone safer, I say: I'll give all my bugs to all vendors the same day that all security companies of the world provide free licenses for everyone for their software.
But well. Honestly, I am not sure whether I should post this. I do not really feel like spending too much time discussing this. But perhaps that's part of the problem...


Vikram Phatak said...

100% Right on the money. (Pun intended)

Aviram Jenik said...

Great Post.

The analogy to Anti-Virus will always break down, though. These guys have a "guild" where they share information with each other and the respected vendors but not with the world. It's a very unique structure that comes in part to raise a barrier from competitors coming in swiftly.

I think the answer, rather than parallel it to AV, is to create a "researcher guild" that will be strong enough to create researcher-oriented rules which will set the standard. Researchers can then say they were "following industry standards" which is what the AV companies are saying when asked why malware is being exchanged freely among them.

Vikram Phatak said...

100% Right on the money. (pun intended)

Unknown said...

>I am not sure whether I should post this.

You shouldn't. Because then you may have a hard time in the future getting contracts and stuff.

See, if you know the basic thing about economics, if very obvious that for a individual researcher, responsible disclosure is against their interests.

Full and responsible disclosure are in place because the industry realized that building good software is complicated and expensive, and is a way to reduce cost employing cheap programmers and making people report bugs for free.

Makes all the sense of the world if you have a business that builds software. But it's in direct conflict with the interests of programmers and researchers, the firsts being replaced with cheap code-monkeys that churns one bug per function, and the seconds forced to give up their work for free.

In fact, I maybe wrong, but I'm pretty sure that there are laws about this kind of price-fixing behavior, because enterprises do this kind of thing constantly in other fields.