Responsible disclosure
In computer security, responsible disclosure (also known as coordinated vulnerability disclosure)[1] is a vulnerability disclosure model in which a vulnerability or an issue is disclosed only after a period of time that allows for the vulnerability or issue to be patched or mended. This period distinguishes the model from full disclosure.
Developers of hardware and software often require time and resources to repair their mistakes. Oftentimes, it is ethical hackers who find these vulnerabilities.[1] Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, the expected time needed for an emergency fix or workaround to be developed and applied and other factors, this period may vary between a few days and several months. It is easier to patch software by using the Internet as a distribution channel.
Responsible disclosure fails to satisfy security researchers who expect to be financially compensated, while reporting vulnerabilities to the vendor with the expectation of compensation might be viewed as extortion. While a market for vulnerabilities has developed, vulnerability commercialization remains a hotly debated topic tied to the concept of vulnerability disclosure. Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and TippingPoint, with their zero-day initiative (ZDI) started in 2005. These organizations follow the responsible disclosure process with the material bought. Between March 2003 and December 2007 an average 7.5% of the vulnerabilities affecting Microsoft and Apple were processed by either VCP or ZDI.[2] Independent firms financially supporting responsible disclosure by paying bug bounties include Facebook, Google, Mozilla, and Barracuda Networks.[3]
Vendor-sec was a responsible disclosure mailing list. Many, if not all, of the CERT groups coordinate responsible disclosures.
Disclosure policies
Google Project Zero has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.[4]
ZDI has a 120-day disclosure deadline which starts after receiving a response from the vendor.[5]
Examples
Selected security vulnerabilities resolved by applying responsible disclosure:
- MD5 collision attack that shows how to create false CA certificates, 1 week[6]
- Starbucks gift card double-spending/race condition to create free extra credits, 10 days (Egor Homakov)[7]
- Dan Kaminsky discovery of DNS cache poisoning, 5 months[8]
- MBTA vs. Anderson, MIT students find vulnerability in the Massachusetts subway security, 5 months[9]
- Radboud University Nijmegen breaks the security of the MIFARE Classic cards, 6 months[10]
- The Meltdown vulnerability, hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors, 7 months.[11]
- The Spectre vulnerability, hardware vulnerability with implementations of branch prediction affecting modern microprocessors with speculative execution, allowing malicious processes access to the mapped memory contents of other programs, 7 months.[11]
- The ROCA vulnerability, affecting RSA keys generated by an Infineon library and Yubikeys, 8 months.[12]
See also
- Whistleblowing
- Information sensitivity
- White hat (computer security)
- Proactive cyber defence
- Computer emergency response team
- Critical infrastructure protection
References
- ↑ 1.0 1.1 Ding, Aaron Yi; De Jesus, Gianluca Limon; Janssen, Marijn (2019). "Ethical hacking for boosting IoT vulnerability management: a first look into bug bounty programs and responsible disclosure" (in en). Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing - ICTRS '19 (Rhodes, Greece: ACM Press): 49–55. doi:10.1145/3357767.3357774. ISBN 978-1-4503-7669-3. http://dl.acm.org/citation.cfm?doid=3357767.3357774.
- ↑ Stefan Frei, Dominik Schatzmann, Bernhard Plattner, Brian Trammel (2009). "Modelling the Security Ecosystem - The Dynamics of (In)Security". http://www.techzoom.net/Publications/Papers/securityecosystem.
- ↑ http://securitywatch.eweek.com/vulnerability_research/facebook_joins_google_mozilla_barracuda_in_paying_bug_bounties.html
- ↑ "Feedback and data-driven updates to Google's disclosure policy". 2015-02-13. https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html.
- ↑ "Disclosure Policy". https://www.zerodayinitiative.com/advisories/disclosure_policy/.
- ↑ "MD5 collision attack that shows how to create false CA certificates". http://www.phreedom.org/blog/2009/verisign-and-responsible-disclosure/.
- ↑ "Hacking Starbucks for unlimited coffee". http://sakurity.com/blog/2015/05/21/starbucks.html.
- ↑ "Dan Kaminsky discovery of DNS cache poisoning". http://www.cert.org/netsa/publications/faber-OARC2008.pdf.
- ↑ "MIT students find vulnerability in the Massachusetts subway security". http://tech.mit.edu/V128/N30/subway.html.
- ↑ "Researchers break the security of the MIFARE Classic cards". http://www2.ru.nl/media/pressrelease.pdf.
- ↑ 11.0 11.1 "Project Zero: Reading privileged memory with a side-channel". https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html.
- ↑ The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli, Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec,Vashek Matyas, November 2017