a vulnerability; “security through obscurity” Pro: “Almost zero likelihood of exploit development” (well, it’ll probably happen anyway) Con: Less public scrutiny may reduce trust if/when disclosure does occur; “Many eyes make bugs shallow”
wherein you can ﬁnd local tasting events and participate in a forum for fellow connoisseurs. You discover that the whole site is riddled with SQL injection and cross-site scripting vulnerabilities. What Would You Do?
• “Accident” led to password ﬁle being displayed in the MOTD • From OSVDB vuln #23257: • Multics CTSS on IBM 7094 contains a ﬂaw that may disclose the contents of the password ﬁle...when multiple instances of the system text editor were invoked, causing the editor to create temporary ﬁles with a constant name...cause the contents of the system CTSS password ﬁle to display to any user logging into the system.
forebear to modern responsible full disclosure. Current incarnation says: • Vendor/provider must respond within ﬁve (5) days, and maintain contact no less than every ﬁve (5) days • Researcher and vendor/provider can agree upon delayed disclosure • Five (5) days w/o initial response from vendor/provider -> full, public disclosure
Culp, makes statements suggesting that full disclosure is like “following a practice that's best described as information anarchy.” On the heels of eEye’s disclosure of a vulnerability that may have beneﬁted Code Red and Nimda authors Community counters that eEye disclosed details at least one month before Code Red emerged
stop Billy Hoﬀman and Virgil Griﬃth’s presentation on vulnerabilities July 2005: Michael Lynn plans to present on Cisco IOS vulnerabilities at BlackHat; threatened with lawsuit, investigated by the FBI August 2008: MIT students prepare to talk about MBTA vulnerabilities at DEFCON; gag order issued (later lifted)
remotely exploitable vulnerability in the SRV2.SYS driver in Windows Vista, Windows Server 2008, and Windows 7 Vulnerability initially leads to Blue Screen of Death; as of September 17, remote code execution is possible Microsoft says Gaﬃé was irresponsible for not notifying them; Gaﬃé counters, saying MS was irresponsible for bad QA
to say the same things: “Disclosure is evil!” “Disclosure is vital!” “Screw the vendor! Disclose all the way!” “Screw the industry! Keep vulnerabilities for yourself! This happens like clockwork, year in, year out.
plan for a solution to the bug or ﬂaw (and keep parties from stalling) • crafting a sensible timeline for public disclosure of the bug or ﬂaw Document vendor-researcher interaction and disclosure process (for others to learn from)