[olug] Security Vulnerability Disclosures

Nick Walter waltern at iivip.com
Tue Mar 25 21:51:55 UTC 2003 

Notifying the software creators and giving them lead time to patch can
prevent the script kiddies from having a field day with the
vulnerability of the week.  The flipside is that I'm still running a
vulnerable service while the patch is getting cooked up.  If the service
isn't critical, I'd like some sort of vague heads up that there is a
known security issue with a software package.  Then I could temporarily
kill it entirely for increased protection.  Just because an exploit
hasn't been posted on bugtraq doesn't mean that some hacker isn't having
fun rooting my boxes.  

My dream scenario would be along the lines of:

1.)  Security flaw discovered
2.)  Simultaneous notification to bugtraq/media/public and software
vendor.  Only the software vendor gets the details, everyone else just
gets "I think I've found a problem, and in 30 days I will be publishing
full details."  
3.)  30 days later, full details with sample exploit code is released. 
This step is important, because without full disclosure, vendors won't
release patches.

Nick Walter


On Tue, 2003-03-25 at 15:41, andrew wrote:
> Well.  If I discover a vulnerability, and disclose it to your vendor, 
> I'm sure that you'd prefer that I released the details to the affected 
> vendors only.  This is not always how things work out.  In fact, there 
> have been a couple of stories recently about security companies getting 
> hacked and their recently discovered exploits being published in advance 
> of the vendor's solution for the exploit. 
> 
> It's a double edged sword.  Full and immediate disclosure means a 
> garaunteed period of time between discovery and patch.  Why deal with 
> that when you can develop the patch and release the details for the 
> exploit concurrently with your patch?  On the other hand, if you sit on 
> the exploit long enough, someone else may find it and exploit it before 
> you can patch it.  Then you're faced with the possibility that someone 
> else could have patched the exploit sooner than you, thus preventing the 
> spread of the exploit. 
> 
> The problem with your cancer analogy is that the doctor doesn't actually 
> have the power to 'patch' cancer.  That is, there is no reason for the 
> doctor to withhold information from you as releasing the information 
> doesn't create a situation where cancer spreads faster.
> 
> I think that disclosing vulnerabilities as they are found is a bad 
> practice.  A variable length grace period needs to be assigned to the 
> publish date of each exploit.  The vendor should be able to fix most 
> non-fundamental bugs in a short period of time.  Of course, among bug 
> hunters, there is no prize for second, so take that fwiw. 
> 
> Andrew Holm-Hansen
> 
> Eric Penne wrote:
> 
> >I'm lookin for a rational discussion not a flame war on the benefits of
> >full vs delayed disclosure of security vulnerabilities.  I know this topic
> >generally borders on the flame war type of discussion but I'm reasonably
> >certain OLUG is above this childish crap.
> >
> >I'm not a security professional by any means.  I run my small webserver
> >for my family and another for a friend.  As the sysadmin though I put
> >trust in the groups that I get software from.  One of those trusts is that
> >the software is secure.  I think that if the software is found to have a
> >vulnerability then it is my best interest to know right away so that I can
> >take action to prevent my servers from getting cracked.  If that means
> >taking my crappy little servers off line then I'll do that.  Another of
> >those trusts is that the software group tells me or publicly posts
> >information that I can find to alert me to the vulnerability.
> >
> >I know some corporations cannot take machines offline.  How much of this
> >debate is about security, saving/making money from the security
> >information, and pure public relations?
> >
> >In the end, I'm the person responsible for the ultimate security of my
> >machine.  I don't like people knowing something about my machine (which is
> >a reflection of me) that I don't know about.  If I had cancer, the doctor
> >would not withhold this from me, because it is about me.  This is one of
> >the reasons I like to use open source software.  Even though i don't go
> >through the code to find vulnerabilities, somebody else out there may be
> >doing it and they are not bound by some stupid EULA for non-disclosure of
> >problems.
> >
> >The preceding was just a thought I had.  Comments, criticism, and general
> >thoughts are appreciated.  Flames will be sent where they belong, file 13.
> >
> >Eric
> >
> >
> >_______________________________________________
> >OLUG mailing list
> >OLUG at olug.org
> >http://lists.olug.org/mailman/listinfo/olug
> >  
> >
> 
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list