Firm To Release Database, Web Server 0-Days

krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."

What's up with the confusing article title?

[Qubit]

Firm To Drop Database, Web Server 0-Days

The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:

Fed-up security firm to release Database & Web Server vulnerabilities publicly

Look at how much more information is conveyed in that second title. A work of beauty, it is.

Re:What's up with the confusing article title?

[gregarican]

Perhaps the firm is issuing a malicious DROP DATABASE T-SQL command, escaping through some unsanitized web query...

Re:What's up with the confusing article title?

[Arancaytar]

We're lucky Slashdot properly escapes its SQL input. Aa headline like "Firm to 'DROP DATABASE `web_server`" might otherwise result in havoc. :P

Re:What's up with the confusing article title?

[gregarican]

So let me get this straight. Slashdot validates their SQL input. But they don't validate their HTML conformance [w3.org]?

Re:

[iammani]

The same with google.com [w3.org] or gmail.com [w3.org] or facebook [w3.org] or any website that needs to support a variety of browsers (even browsers that are not standards compaint).

PS: wikipedia was complaint, its should applauded for its effort.

Re:What's up with the confusing article title?

[tftp]

PS: wikipedia was complaint, its should applauded for its effort.

What have I done to deserve this pain?

Re:What's up with the confusing article title?

[ais523]

I can't figure out if you came up against Muphry's Law there, or if Slashdot's parsing decided to do it for you...

Re:

[thePowerOfGrayskull]

So let me get this straight. Slashdot validates their SQL input. But they don't validate their HTML conformance [w3.org]?

What does one have to do with the other? Proper sanitization of inbound data is basic security. HTML conformance is important to, but failing to conform isn't going to result in data theft, loss, or corruption on the servers.

Re:

[gregarican]

Swoosh...

What about bobby tables?

[0100010001010011]

This guy should rename his name to Bobby Tables [xkcd.com] at the same time. Imagine the number of newspapers that would try to do a press release, but couldn't.

Re:

[Anonymous Coward]

Firm To Drop Database, Web Server 0-Days

The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:

Fed-up security firm to release Database & Web Server vulnerabilities publicly

Look at how much more information is conveyed in that second title. A work of beauty, it is.

In the submit story page, your proposed headline would look like:

Fed-up security firm to release Database & Web Ser

See how it truncates?

Re:

[Anonymous Coward]

Fed-up Firm to release 0-Day Exploits
Fed-up Firm to release DB and Web Server exploits

Or other hundreds of ways it can be phrased with-in the character limit.

Re:

[Qubit]

In the submit story page, your proposed headline would look...

Yeah, but one person looks at the headline on the Submit Story page. Then an editor pokes it with a stick. All the rest of Slashdot reads it on the front page.

I always figured that the editors ruthlessly edit the headlines, as is their Cowboy-Neal-granted right. Maybe they don't even bother to do that anymore...

Re:

[noidentity]

Yes, I assumed this was an article about a firm dropping support for a database and webserver without any notice (perhaps a DRM-supplying company or something). Just below this headline is another misleading one, "CES Vendors Kicked Out of Hotels For Showcasing Wares in Room", which suggests they were showing pirated software.

Re:

[DMUTPeregrine]

"Wares" does not mean pirated software, "warez" does. "Wares" just means any items offered for sale.

Re:

[Stavr0]

Firm To Drop Database, Web Server 0-Days

The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable.

Perhaps "Firm to GRANT SELECT ON database, web server 0-days TO PUBLIC"

Re:

[tag]

The verb to drop has specific meaning w.r.t. databases.

There's an xkcd [xkcd.com] for that.

Why not?

[Monkeedude1212]

FTFA:

At issue is the pesky ethical and practical question of whether airing a software vendor’s dirty laundry (the unpatched security flaws that they know about but haven’t fixed yet) forces the affected vendor to fix the problem faster than it would have had the problem remained a relative secret

Hasn't this been proven to be true - and legal?

In all honesty, if they've contacted the vendor and the vendor hasn't patched it in a month or two, I think its completely ethical and practical to release the vulnerabilities. After all, there could be a few other small firms who have discovered the vulnerability and are exploiting it. Best to put them out there in a Twitter feed so that the entire world instantly complains about it forcing the vendor to fix it. I prefer security over new features.

Re:

[DeadPixels]

I agree, but that's not what this guy is doing. He's saying that he doesn't want to notify vendors at all, which I feel isn't responsible. I believe that you should notify the vendor and then release it in a reasonable time frame (TFA suggests 60-90 days).

I don't have a problem with the disclosure of vulnerabilities once the vendor has been notified, because I think it does cause the problems to be resolved quicker. However, not telling the vendor means there's no chance for them to even start on a fix bef

Re:Why not?

[b4dc0d3r]

He's a step ahead of you. He's tried doing it the right way and gotten no results. So he's going to skip the part where he wastes his time.

If companies want responsible disclosure, they should respond in some way to the disclosure. Maybe companies will actually fix bugs instead of sitting on them, and he can go back to doing it the right way. He also warned the companies he's going to do it, so they have a chance to fix things before then.

Here's a tip for you. In the real world, sometimes you have to force the other party's hand to get them to act responsibly. He's to that point, and fortunately has leverage. By making this choice public, he shames the irresponsible software companies which allow security problems to sit around unfixed.

Hopefully they'll scramble to release some fixes, which they haven't done yet, which is a net improvement over the current situation where millions of people have unpatched vulnerabilities.

In short, I don't see a problem here. I use software, it has security problems, I expect those to be fixed. Whatever it takes to get there, I'm all for it.

Re:

[cromar]

Whatever it takes to get there, I'm all for it.

Even... even murder??! Or genocide??!

Re:

[jc42]

... that's not what this guy is doing. He's saying that he doesn't want to notify vendors at all, which I feel isn't responsible.

Well, how I read it is more like "Hey, we've tried notifying these turkeys a dozen times or more, and every time, they stonewalled us. I'm fed up with them, and I'm not going to waste my time any more. I'm just going right to the public release, which their history shows is the only way to get any action."

Maybe this isn't the "responsible" thing to do, but it's certainly underst

Re:

[John Hasler]

I think that it would be much better to always notify the vendor (telling them when you will release) and then release as scheduled no matter what the vendor does or says. The word would soon get around and vendors would know they were working against a firm deadline.

Re:Why not?

[tsm_sf]

I'd agree, but on the other hand this guy is essentially doing their job for them. For free.

Re:Why not? Because it's a PITA

[clintp]

Perhaps what we should suggest is starting off with a nice long "advanced notice" period with a vendor, 2 or 3 months. Each time they fail to act within that window, you decrease it slightly for the next bug you report. With time, this might stabilize on a reliable period for that vendor. Of course, this only works if you have a long-term business relationship with that vendor. In many cases, people are likely to give up long before the asymptote is reached.

This requires an awful lot of patience and a fair

Re:

[Tom]

We've had that discussion five years or so ago, hadn't we?

To rehash the two most important arguments of each side:

Pro Full Disclosure: "99% chance that the evil hackers already know about the exploits when a whitehat finds it, plus vendors don't get their lazy bums up unless there's danger in the air and the customers demand it."

Pro "Responsible Disclosure": "Mimimi, that's sooo evil. Plus vendors will certainly fix things ASAP and work with researchers and everything will be better and I'm not being paid t

Re:

[dissy]

I agree, but that's not what this guy is doing. He's saying that he doesn't want to notify vendors at all, which I feel isn't responsible. I believe that you should notify the vendor and then release it in a reasonable time frame (TFA suggests 60-90 days).

Well, you could always apply for that job :}

You get paid nothing, to email vendors about their security flaws, and wait for a reply that will never be sent to you.

Oh, and you aren't allowed to 'quit' this job, else we will say on the internet that you are immoral unethical and not reasonable.

Especially after you do this for years, get not a single reply, and realize just how futile the whole process is. Definitely can not quit after that!

Seriously, if you won't take that position for no pay and no rewards

Re:

[Thaelon]

What he's saying is that notifying the vendor first doesn't result in a fix at all, so why waste breath and allow the vulnerability to remain in the wild longer?

If it's releasing them into the wild results in a faster fix, then that's what should be done. There's no such thing as security through obscurity. Whether it actually results in more damage to release it immediately without notifying the vendor than to notify the vendor and have them do nothing for six months - while during those six months, othe

socialized risk

[epine]

This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk. When you screw up in the auto industry, the company faces the massive expense of a product recall. That helps to keep you honest with your engineering quality.

I personally think 30 days is a reasonable notification period. Not pleasant for the vendor to have to respond that briskly, but this isn't about being pleasant. If the vendor wants pleasant, they should invest more competence in the original product. This isn't easy, and might move a few pointy-haired managers out of the executive suite.

Probably a more viable compromise is eight weeks. This adds a thin margin for the possibility that key zero-day SWAT staff are booked off, that multiple issues are raised concurrently, or that a product has a stupendously long build cycle.

I would be thrilled to see an industry standard put in place where everyone knows the ethical notice period is eight weeks, period, perhaps with the odd extension on a track record of good behaviour.

I would also like to see proprietary TCO calculations updated with a term to account for the customer disruption of having to rapidly deploy a not-tested-for-months-at-a-time critical vulnerability patch.

Speaking of which, that whole TCO thing really bends my biscuits. It's just loaded with sly neglect of not entirely apparent costs, of which the year-long critical vulnerability update is one of the more egregious.

During that time, your pants are down if anyone less ethical discovers the same flaw. It never happens that two scientists make the same discovery in the same year and end up in priority dispute, according to the industry of socialized risk.

Re:

[mcgrew]

This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk.

Sometimes I think I've been transported to Ferengenar. 95th rule of acquisition: "Exploitation starts at home".

Re:

[zippthorne]

What they should do is to meter out the information.

First day: notify the software company and enter info in the database.
-- info should include specifics, name of the program, an estimate of severity, and any info which can be released without actually revealing enough of the nature of the bug to continue.
-- The web site should handle allowing access to the specifics after the specified time.
-- The software vendor should be able to enter comments
-- The software vendor should be able to request extensions t

Re:

[SwashbucklingCowboy]

"if they've contacted the vendor and the vendor hasn't patched it in a month or two"

A month or two is not enough time.

Re:

[Monkeedude1212]

Why not? Too busy? On what?

You can have bugs, you can have additional features, you can have new projects on the table, ALL of that stuff should be second fiddle to security vulnerabilities.

So where is the time consumption? The firm is already telling you WHERE the problem is. All it takes now is Finding a solution, testing it, and deploying it.

If you're telling me that it takes more than 2 months to do that - I seriously doubt the actual integrity of the product they are working on.

Irresponsible

[DeadPixels]

To clarify the summary, this guy isn't saying that he's not going to wait for companies to fix exploits before he releases them; he's saying he's not going to tell the companies at all. That, in my opinion, is very irresponsible. If you contact them and say you're going to release the information in 90 days regardless of their progress on a patch, fine, but to not warn them because of a few vendors who don't do their job is harmful to everyone.

Re:

[Anonymous Coward]

Problem is that if you warn a vendor privately, they will either dismiss you outright, or get a court to sign a gag order against you in a matter of hours.

Re:

[haruharaharu]

Of course, these guys are in russia, so good luck with that.

Re:

[93 Escort Wagon]

Of course, these guys are in russia, so good luck with that.

Of course, if the big companies that are effected felt it made business sense to do so, the fact that this group is located in Russia could make them easier to deal with. A bit of Microsoft cash slipped into the right unregistered bank account... problem solved, guys are shut up permanently.

Re:

[Fulcrum of Evil]

It occurs to me that financing international terrorism is a bit of a step up from not fixing exploits in your software. If adobe was known to finance murder in a foreign country, just what do you think would happen?

Re:

[Anonymous Coward]

What court? This firm is located in Russia.

Re:

[tonyreadsnews]

they will either dismiss you outright

So, how would that change GP's process?

get a court to sign a gag order

Then share it with one (or a couple) trusted friends who can release it if you are unable to.

Re:

[shutdown -p now]

Problem is that if you warn a vendor privately, they will either dismiss you outright

Then you proceed with disclosure.

or get a court to sign a gag order against you in a matter of hours.

Has there been a precedent for that?

I have reported security vulnerabilities in the past, and while the fix did take longer than I expected to be reasonable, at all points I was kept notified of the current progress, and I was never "dismissed", nor did anyone threaten me with court gag orders or anything like that. What did I do wrong?

Re:

[Volante3192]

The devil you don't know is less dangerous than the devil you know? Fact is, the guy says he's got holes from Real from two years ago that haven't been patched. Two years isn't enough time, now you want two years and three months?

Re:Irresponsible

[GameMaster]

What he seems to be saying, is that he's already told the companies and they've done nothing. A better term for it might be "effective disclosure" in order to differentiate itself from the, proven ineffective, "responsible disclosure" advocated by the industry.

So, what are they selling?

[0racle]

Some firm draws up a press release that they're going to drop the bomb on every piece of software they could get their hands on that is used everywhere in the world for one thing or another.

Right, what are they selling again?

Re:

[paziek]

They could be providing auditing services. Advertising to whole IT world, that they found shitload of them might just say "Hey, we can check if your apps are safe, and perhaps recommend something better if they aren't."

Re:

[Blakey Rat]

From the blurb in the summary, it sounds like "jackassery."

Nice short term marketing gimic

[Megaweapon]

"Pay attention to us, we'll disclose everything up front before everyone else! BTW, here's our products and services."

Is it just me?

[gregarican]

Or is the English language dying a painful death on /. as time passes. The past day's article summaries and headlines are a blend between Yoda backing off the chronic and the broken English that some toy assembly manuals convey.

Seriously, it took me three passes at reading this article headline to understand what the hell it meant. Maybe that's part of the entertainment value that I'm missing???

Re:Is it just me?

[Arancaytar]

You got stuck on the DROP DATABASE, didn't you. Happens to a lot of db developers. :P

Re:

[dissy]

You got stuck on the DROP DATABASE, didn't you. Happens to a lot of db developers. :P

Poor little Bobby Tables...

Re:

[b4dc0d3r]

It's a high concentration of words and/or phrases having overloaded meanings. As technology develops, normal words acquire additional connotations, if not denotations. Since this is a tech-oriented news aggregator, you should select the tech connotation first, then re-parse with non-tech meanings if that fails.

'Drop' in this case can be parsed in the sense of 'vendor drop', meaning 'deliver' or 'drop a bombshell'. Not typical usage, but not uncommon. 0-days obviously refers to vulnerabilities, and confl

Re:

[bennomatic]

It's the hip-hop definition of 'drop', i.e., "Yo Dre! Drop me a funky-ass bass line!"

secutiry theater gate crashers

[Theodore]

I welcome this.
In ancient ages past, we put up with "It's a theoretical attack, no one could actually execute it"...
to "group X has released a THEORETICAL working example of an attack to the public, so we fix it six months after revealing it to us"...
to "Here is how you fail... here is how to make you fail... FAIL!!!"

'responsible disclosure' is just wearing the nice guy badge...

You're the only one wearing the nice guy badge.

I'd rather see "Oh CRAP! This thing in Word is broken!" "Oh CRAP! This thing in Excell is broken!" "Oh CRAP! I went to look at a brittany spears vid and now can't move my mouse! Why is my DSL light blinking a lot?"
And then see it fixed in a day or two (at most), rather than a month or two (if we're lucky).

Better handled through a service like Wikileaks?

[Anonymous Coward]

It seems only slightly less irresponsible to publicly disclose exploits without making companies aware of them than it is for companies to disregard known security flaws in their own products.

RFPolicy struck me as the best compromise, but maybe there's room for a third-party service to hold exploit information in escrow for a defined period of time then release it. If a company knew that they had a couple of months to fix a problem at the outset, and that nothing was going to stop publication, that could p

It's Irresponsible

[SwashbucklingCowboy]

While I don't blame them for releasing two year old vulnerabilities, they're going too far by not giving firms ANY TIME to fix vulnerabilities. Give them six months and then release them, but give them time. This does as great a disservice to users as those firms do by not fixing the vulnerabilities.

Re:

[Hatta]

So what you're saying is that we should give the black hats 6 months to freely exploit these vulnerabilities?

drop database?

[gringer]

Shouldn't it be, "firm to SELECT 'Database', 'Web Server' FROM 0-Days;"?

Bug bounties

[zullnero]

If more firms paid bounties for bugs found (as long as responsible disclosure is followed), you'd probably see a whole lot more security researchers content to follow responsible disclosure guidelines. There's no guarantee that they'll keep that all a secret in any case, but to get the cash, you've got to sign a legal form with your company's information or be registered as a valid security analysis firm. One of the biggest issues with these security analysis firms is that there's no way to tell most of the time if it's just a bunch of criminals hiding out under a corporate umbrella, or if they're bonafide security professionals. And no jokes about them being one and the same...there's a huge difference, I've known (and in the case of those pros, I've worked with them) guys from both sides. If a security firm refuses to be registered or refuses bounties, you know there's something fishy about them and it's time to contact local authorities.

Then again, there's the big problem with many of the bugs that outside security firms reporting being already known and in a work backlog. The realities of the industry is that capital isn't unlimited, time isn't unlimited, and sometimes, important stuff doesn't get done because you just don't have enough qualified developers to throw at the problem. Two years is fairly excessive for a security hole to sit around, but if a security firm is releasing exploits that it discovered and reported 6 months prior just because it "didn't see enough getting done", that's not being passionate about security, that's an attempt to commit extortion.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Responsible Disclosure

[MachDelta]

The alternative to irresponsible disclosure is for the vulnerability to be used maliciously for an unknown period of time. Which of those is preferable?

Re:

[fearlezz]

The third option: "Dear developers of [insert product name], I've found an security issue in [insert product name]. Details are attached. I give you 14 days before releasing this information publicly."

Re:Responsible Disclosure

[dgatwood]

Exactly. The GP is seeing the world in black-and-white, where reality has many gradations in between.

Naive responsible disclosure: give it to the vendors. They do nothing. The bad guys figure it out. Everyone loses.
Irresponsible disclosure: hand out a zero-day to the bad guys. Everyone loses.
Effective responsible disclosure: disclose it to the vendors along with the promise to disclose it publicly on a scheduled date.

It should be noted that the third way is how CERT does things, and is the only way that the end users stand a chance of not getting screwed. It is important to make it clear that the vulnerability will be released to the public on that date no matter what. It is also important to make this date no more than two months in the future. Make the time frame too short and you're accused of creating a zero-day exploit. Make it too long and they won't bother looking at it until a week before, then they'll tell you that they can't fix it in time, and they'll accuse you of creating a zero-day exploit. There's a middle range in which it's close enough to scare the pants off of the manager types but far enough out that the fix can actually happen.

Most importantly, though, if the vendor doesn't fix it, you must disclose it anyway. Otherwise you lose all credibility, and vendors will simply put off fixing the problem because they'll assume that you will keep backing down.

Re:

[blueskies]

Irresponsible disclosure: hand out a zero-day to the bad guys. Everyone loses.

People running the software pull it out of production until there is a fix? Or they mitigate the problem the day the world learns of the exploit?

Re:

[LO0G]

One thing to keep in mind: all that was necessary to reverse engineer the DNS flaw was Dan Kaminski's mentioning that it existed - within a week several researchers had figured it out.

I don't totally disagree with you but there ARE times when just the knowledge that a flaw exists (or a rough idea of where the flaw exists is sufficient to allow others to figure the flaw out).

Re:

[dna_(c)(tm)(r)]

Which is followed by a letter from the firm's legal department ordering you to keep quiet or be sued for far more than you can afford to pay a lawyer to defend you.

Then Mr. Legorov responds with something that says, basically, "sod off" in russian and gets on with his life.

Re:Responsible Disclosure

[lordsid]

Basically what this is about is choice. The companies in question have been notified of the security flaws in their product. They have as of yet fixed said flaws. They have instead prioritized other projects above fixing the bugs. The choice was given to the companies in question. The choice is now being removed due to their inaction.

I will take irresponsible disclosure any day over people not fixing known bugs. This is forcing their hand and that is why they don't like it.

All in all, tough shit for the companies involved.

In an ideal world security flaws would be fixed when they are discovered. I think we can all agree this is not an ideal world.

Re:

[HarrisonFisk]

Except he did not contact the vendors. He said in the past he has contacted some and they didn't fix it, so now he has given up on all vendors and does not disclose the information at all for any vendors.

I work for one of the affected projects and can tell you that we did not get contacted by them via any of our normal, well publicized methods (email, phone calls, etc...).

I agree that if a vendor does not reply then it is totally okay to disclose it to force their hand. However, disclosing it immedi

Re:Responsible Disclosure

[networkBoy]

That's really not fair either.
Many bugs that are security related are a result of interactions that people simply didn't think of as possible. While bug free code is desirable, and possible, would you be willing to pay 10 times more for a "provable" product? 100 times more?

Look at the space shuttle code. Provable software with an average of something like 2 man years per line of code on average? Is that realistic for consumer or even pro commercial software?

On the flip side I abhor this type of disclosure as well. I think 0 days should be forwarded to the vendor and given at least 90 days before release. Hell set a timer on it, even say the following timeline would be ok(ish):
discover exploit: notify vendor
notification + 1 week: notify world of nonspecific vuln in product
notification + 1 month: notify world of type of vulnerability
notification + 2 months: notify world of specific vuln
notification + 3 months: notify world with exploit code.
-nB

Re:

[arose]

The one where an unknown number of in the world know how to exploit it before the patch.

FTFY.

Re:

[Anonymous Coward]

The one where an unknown number of people in the world know how to exploit it before the patch.

FTFY.

FTFY.

Re:Responsible Disclosure

[gregarican]

Here's a quote from TFA...

Legerov said. For example, he said, “there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor.”

I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.

Re:Responsible Disclosure

[mcrbids]

I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.

It's most likely a case of resource management and insufficient resources available. Businesses exist to make money. Features make money, bugs cost money. So, given NNN amount of money, do you:

A) Fix the bugs that people are experiencing problems with RIGHT NOW with exploits in the wild, or

B) Fix the bugs that are "theoretical" and MAY be exploited at some point in the future if somebody else finds it?

Now, the clueful would note that the set of B includes the set of A, but for those who are living close to the edge, A is where the attention goes, and that's why you see announcements like this one.

Re:

[mcgrew]

It's most likely a case of resource management and insufficient resources available. Businesses exist to make money.

And as long as we keep putting up with shoddy software, they'll continue to sell it to us. Bugs cost money, as you said, so I would think they might put a few more resources to getting rid of the bugs before they shovel it out the door.

Assertion in point B

[forand]

The problem is with your point B.

Fix the bugs that are "theoretical" and MAY be exploited at some point in the future if somebody else finds it?

You are asserting that the exploit is '"theoretical" (why the quotes?) and might be used in the future without any evidence that this is even the most common case much less the only case. The problem with an undisclosed vulnerability is that unsuspecting users believe they have more security than in fact they do. They expect, at very least, to be informed when a v

Re:

[Tom]

Businesses exist to make money. Features make money, bugs cost money.

Which wouldn't be a problem, because avoiding and fixing bugs would then avoid loss of money.

The problem is that features make the vendor money, while bugs cost the customer money.

Outside the software world, warranty and liability regulations solved that problem.

Agreed.

[chaboud]

Clearly the balance of incentives has been wildly off for some time now. Researchers finding possibly big-cost vulnerabilities and reporting them to vendors/middlemen have found that the responses to their discoveries have been slow. Additionally, the payouts for these researchers has been relatively low.

They've been slow because companies have very little incentive to actually fix these bugs, provided that the rate of exploitation of these bugs is sufficiently low.

The incentives for a company using comme

Embargo

[unixan]

Legerov said. For example, he said, “there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor.”

I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches

It's most likely a case of resource management and insufficient resources available.

One word can solve the difference between responsible reporting and 0-day motivation:

embargo

The reporting security group still goes through responsible reporting methodology, but add proposed date the details will be reported more fully to the public.

I work for an enterprise-level network device manufacturer, and anyone in that line of work knows damn well that remote vulnerabilities are the harbinger of death if they're not addressed in a timely fashion. Yet, motivation to assign resources to fix it sti

Re:

[betterunixthanunix]

Perhaps this is yet another reason to use only free (libre) software: you do not have to rely on a greedy businessman to decide that a bug is worth fixing. Of course, this means that "responsible disclosure" flies out the window, since you cannot go around keeping bugs secret if you want random people to fix them, but give the content of TFA...

Re:

[davester666]

A) Fix the bugs that people are experiencing problems with RIGHT NOW with exploits in the wild, or

B) Fix the bugs that are "theoretical" and MAY be exploited at some point in the future if somebody else finds it?

But how do you know if it's being exploited in the wild or not? Vendors are unlikely to know, security researchers and the anti-virus companies might. The best exploits are written so the end-user doesn't notice anything bad has happened.

And even if it's not, is it wise to wait until AFTER, say, so

I'd feed better if

[Ungrounded Lightning]

I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.

I'd feed better if, rather than lumping all the vendors together and 0-day disclosing vulnerabilities found in any of them, Intevydis tracked which vendors fail

Re:Responsible Disclosure

[bws111]

This doesn't sound like either responsible or irresponsible disclosure. It sounds like plain old extortion. Notice he does not say he provided the vendor with the vulnerability info, just that he contacted the vendor. Calling a vendor and saying 'you have a vulnerability, pay me x and I will tell you what it is, don't pay and I'll tell everyone else' is not 'being responsible', it is extortion. Given that he must now resort to a blanket 'from now on I'll just release it' threat he must be getting pretty desperate. Frankly, I have no trouble believing that IBM/Tivoli and Sun/Mysql would not bat an eye at an extortion attempt, but I find it hard to believe they would not fix an actual vulnerability if it was reported as such.

Re:

[couchslug]

Yes, because it coerces vendors to fix vulns and therefore improves ecosystem health.

If the internet ecosystem were not under steady attack, it would be weak and much more vulnerable.

What does not kill it makes it stronger.

Re:

[mcgrew]

What does not kill it makes it stronger.

Tell "what does not kill me makes me stronger" to a brain-damaged man in a wheelchair. If there were no attacks, vulns would be little problem. As it is, your AV takes up a good chunk of your computer's resources and the botnets still send tons of spam.

Re:

[vadim_t]

Yes, but it's unrealistic to expect that if researchers didn't publish attacks, there wouldn't be any.

Somebody found the hole. It can't be that they're the only person on the planet who could possibly figure it out. Eventually somebody else will find it too, or maybe already has. If that person happens to have something malicious in mind, they won't publically disclose it. They'll exploit it for their own gain, or sell the information to people who will do that.

If nobody disclosed vulnerabilities for the pu

Re:

[mcgrew]

I'm in the camp that says if you find a vuln, give them X days to fix it, then disclose it to the public.

Re:

[Stormcrow309]

I thought it was 'what doesn't kill me cripples me for life'...

Re:

[Dan Ost]

Features != Bugs

Just because marketing puts a higher priority on new features than it does fixing bugs doesn't mean that that is a better allocation of developer resources.

Of course, even if the bug is in the wild, if they're sure it's not exploitable, they can ignore it to continue working on new features. All they're really risking in that case is their reputation.

Re:Responsible Disclosure

[Anonymous Coward]

Responsible Disclosure is like "pro choice" or "pro life". It is a deliberately positive term for purely demagogic reasons. You can't be for irresponsible disclosure, just like you can't be against choice or against life.

The protocol for publishing information about exploitable software bugs is an intensely debated topic and the choices affect multi-billion dollar businesses where it hurts them most: The bottom line. Do not for a second believe that anyone in this game argues for the sake of rational discourse alone.

Re:

[jedidiah]

...usually. Sometimes pro-life can mean they want you to "choose life".
Although that's not the way it usually goes since the noisiest part of
the "pro life" crowd are fundie nutbags want to meddle in everyone's
lives.

Re:

[ckaminski]

Pro-life is typically used to mean "ANTI-abortion" and not "Pro-choice for you if you want it, more power to ya, but no fucking way you're aborting MY baby".

Re:

[Anonymous Coward]

Let's not go there. The point is that calling it "responsible disclosure" makes arguing against it much harder than, for example, calling it "delayed disclosure" would.

Re:

[Anonymous Coward]

I am in favor of mandatory masturbation (to prevent the need for abortions.)

Re:Responsible Disclosure

[hawkeye_82]

This is like punishment.

The irresponsible party in this case, is the software vendor. If the vendor can't clean up their act, and at least work on fixing 0-day exploits, then public disclosure/humiliation is probably a good way to get at least some vendor to sit up, take note and do the right thing the next time around.

This sounds like a good case for establishing a procedure.

1. Contact vendor about exploit, with an expiry date.
2. Release information about exploit once date has expired, irrespective of whether bug is fixed, and the fix deployed.

Is there perhaps a clearing house for such things?

Re:Responsible Disclosure

[csartanis]

Yes, because "responsible" goes both ways. They're being responsible by notifying the vendor before going public. If the vendor is not fixing the issue, it's time to go public.

As far as I'm concerned a public release is still a responsible one. At least in that case everyone knows about it.

Irresponsible is selling unknown vulnerabilities to private parties that will use them for their own gain. The vendor's customer's get screwed and the vendor has no idea that it's even happening.

Re:Responsible Disclosure

[morgan_greywolf]

The term "responsible disclosure" is newspeak for "keep your mouth shut". The alternative to 'responsible disclosure' is that the vulnerabilties continue to exist for sometimes years, with wild exploits happening perhaps unknown for long periods of time.

I think it's okay to notify the company and give them time to fix the bug, but time on the order of years is completely unreasonable. On the Internet, a year is a very, very long time.

Re:Responsible Disclosure

[Lally Singh]

God forbid vendors actually start testing their software *before* it's in the field.

Re:

[TubeSteak]

The alternative to responsible disclosure is irresponsible disclosure. Is that really better?

The alternative to "responsible disclosure" is "full disclosure".
"Irresponsible" is only disclosing 0-day exploits to black hats.

The world isn't black and white.
Just because someone frames the issue as "X or Y" doesn't mean that "or" isn't an option.

Re:

[Hurricane78]

tl;dr: Of course I prefer the company fixing the bug, but in case they fail at that, I at least want to know of it and be on the same level as the crackers.

You got something wrong: The position of the crackers is that it’s the companies who act irresponsibly, e.g. by doing nothing when they should close the bugs, or by suing those who found some hole. Which I agree with. I’d go so far as to offer a prize to anyone who can demonstrate an exploit for my software. With that prize always being worth

Re:

[jjoelc]

Agreed - inform the vendor with all the details. Same day, publicly announce that the vulnerability has been discovered, but with no details. At a specified date (60-90 days later) make full details public.

Sounds so simple, doesn't it?

Re:

[Fulcrum of Evil]

I live in the US - they'd just get a gag order slapped on me. Better to just publish the exploit and metaphorically napalm their village