March 24, 2007 1:30 PM PDT

Mozilla: Hackers control bug disclosure

WASHINGTON--Software makers are at the mercy of bug hunters when it comes to flaw disclosure, Mozilla's security chief said Saturday.

The software industry for years has pushed guidelines for vulnerability disclosure. Those "responsible disclosure" efforts have had some effect, but security researchers maintain control over the process, Mozilla Security Chief Window Snyder said in a panel discussion at the ShmooCon hacker event here.

"The researcher has all the power," Snyder said. "They control when they disclose it, and they control the idea whether or not the vendor responds in time."

ShmooCon

Releasing vulnerability details has been hot topic for years. The software industry advocates private disclosure of a bug and time to fix it before a researcher goes public, a practice the industry calls responsible disclosure. After all, early release could help criminals to launch cyberattacks and damage a vendor's reputation.

Security researchers who follow the industry's guidelines are often frustrated by a lack of response from software makers. Another frequent point of criticism is the time it takes for a fix to be released and for the researcher to get credit in a security alert.

"Vendors have a real responsibility to respond to what's reported to them," said Snyder, who previously worked at Microsoft.

But not everyone buys into responsible disclosure. It is a trap set by software makers, said panel member Dave Aitel, of security software firm Immunity. "Responsible disclosure is a marketing term," he said. "Responsible disclosure plays into the hands of Microsoft and other big vendors...they are trying to control the process."

Instead of disclosing a flaw to the vendor, Aitel wants bug hunters to sell vulnerability information to him. Immunity pays bug hunters for details on security vulnerabilities and uses those in his company's products, which include penetration-testing tools that can be used to break into computers and networks.

Chris Wysopal, CTO and founder of security review company Veracode, disagreed that bug hunters are always in charge. "We see a lot of threats," he said. "Being on the receiving end of legal threats isn't an easy thing."

If a company unleashes its legal wrath onto a security researcher, then that's an example of a company that doesn't know what it is doing, said Rohit Dhamankar, manager of security research at TippingPoint, a seller of intrusion prevention products.

"There are sophisticated vendors like Mozilla and Microsoft, and there are vendors who have no clue about good process," Dhamankar said. TippingPoint, which also pays security researchers for bugs, was threatened with a lawsuit recently by a Web portal software maker, he said.

To gain a competitive advantage over rivals, companies such as Immunity and TippingPoint pay bug hunters for flaws. By purchasing bug information, their products can detect problems before any other product can and before an official patch is available.

Ultimately, flaws don't get fixed without public disclosure, Wysopal said. "The responsible thing is to send it to the vendor, but then you get stuck with the vendor not doing anything about it if there isn't the threat that it will be publicly disclosed," he said. "Public disclosure is the only way to actually get things fixed."

Mozilla's Snyder said 30 days is a good timeframe to give a software maker to come up with a fix and called on bug hunters to follow responsible disclosure guidelines.

"I appreciate the work that's going on and I appreciate a little heads up before the whole world finds out (about a security vulnerability)...I would appreciate 30 days, but I will take what I can get."

See more CNET content tagged:
disclosure, TippingPoint Technologies, researcher, software company, vendor

10 comments

Join the conversation!
Add your comment
The Cold-Hard Reality...
The simple fact is that MANY businesses (especially, the biggest technology corporations) HAVE PROVEN that, as often as not, they WILL IGNORE, or even HIDE, any problem, that they think they can... unless literally forced to deal with it (look at Microsoft, the largest software-corporation in the world... they have a decades-long history of, actually, simply claiming "serious problems" dont even exist... until they were literally clubbed over the head with them... by the "media" and other forms of "public disclosure").

This is just a sad reality of modern business-behavior. In fact, this is actually a very-basic element of human-nature. There are other terms for this problem; "denial", "self-interest", "laziness", "arrogance", and "greed". But, as long as any form of externally-imposed "secrecy" is allowed... and as long as it provides any benefit to those that can exploit such "ignorance"... any form of restriction of such "free expression" -will- inevitably cause HARM to the "consumer".

This basic philosophy; -a little knowledge can be dangerous... but imposed ignorance is far, far, worse-... is, in fact, the very foundation of the American ideal of "Freedom of Speech". Our "Founding Fathers" were, very painfully, forced to acknowledge that controlling information, IS the single greatest power that the corrupt can possess... and that, "self-interest" is one of the most corrupting influences within the sphere of human-experience.

So-called, "responsible disclosure" (and "penalties" that could be used to enforce it), appears to me to be little more than another attempt to forcibly control the vital-information which consumers absolutely MUST have access to, in order to protect themselves and make sound decisions... regarding both "the bad-guys", AND the business-entities that would benefit from such FORCIBLY-IMPOSED ignorance.

This is especially driven home by recognizing, just who are the biggest proponents (and, potentially, beneficiaries) of this, self-styled, "responsible disclosure".

In short, it would be nice if such "vulnerabilities" were only disseminated in a "responsible manner"... But, the FACT is that "the bad-guys" WILL have access to such information, whether "the public" is informed, or not. And, overall, giving companies that produce FLAWED-PRODUCTS, the power to "silence" those that find such flaws, ...is, frankly, a far more worrisome prospect, to me.
Posted by Gayle Edwards (262 comments )
Reply Link Flag
Sure but who cares
Sure there are bugs in Mozilla, there aren't any programs which are bug free. Difference between Firefox and IE is that a Bug in Firefox doesn't compromise the entire Operating System like IE bugs do. Also Mozilla release updates for their web-browser more often than Microsoft release updates for IE
Posted by ozidigga (77 comments )
Reply Link Flag
Some Do Care.
IE bugs can reach farther down into the OS because it is integrated into the OS. Firefox cannot do so because as a third party application it is not allowed such deep access. At that, few hacks are written that can penetrate that deeply into IE and so few do.

However, that makes little difference in that because both browser?s security holes can allow bugs into the system both can cause considerable damage ? and that is the important point.

That Mozilla releases the bug fixes more often that Microsoft does is partly because Firefox has more vulnerabilities that IE does and also because Microsoft has been under considerable pressure from the business IT sector to release patches on a set schedule so that IT departments are not bombarded with frequent patches that have to be loaded into hundreds, thousands, of computers. With so small a market share, particularly in large enterprises, Mozilla doesn't face that pressure. It can and does release fixes whenever it suits their schedule. Microsoft used to do the same.
Posted by gmcaloon--2008 (72 comments )
Link Flag
Not ms 'bashing', putting the concerns where they belong
Of course it would be out of the question for ms to pay good rewards for bugs that are 'discovered'. I mean it is not like the system is so complicated and convoluted that it would be difficult for ms to do it by themselves, so there is no need to employ the brightest brains to fill in where they are woefuly inadequate.

No their money is better spent making PR contributions and lobbying efforts, for their inteliigence resources looking after how to try and market-out more market share, and focus of ignoring and hoping it will go away.

Responsible disclosure!! HAH! ! If you are stupid enough to offer up your halfbaked product to the public, you can not possibly dismiss yourself from the problems and responsibilities of its inadequacies.
Posted by Dragon Forge (96 comments )
Reply Link Flag
Could means what?
>>>early release "COULD" help criminals to launch cyberattacks and damage a vendor's reputation.<<<

Maybe, perhaps, possibly, might.

And now what about the other part of the MORE important question.

Cannot the creation of vulnerable software damage a vendor's reputation?

Don't shoot the messenger... they're just bringing the message. It's the developer of the flawed software who "SHOULD" be held responsible.

Notice I capitalized the word "SHOULD" because that matches with "COULD" and means about the same.

Microsoft should be held responsible for every flaw found in their software.

The hackers DID NOT write the code... Microsoft Engineers DID!

If Microsoft's code were solid in the way it was written, the chances of so many flaws occuring would be drastically reduced.

Now back to the story...

The hackers (note there are good and bad ones) are usually aware of the bug before the manufacturer.

Good ones report their findings to the manufacturer in hopes the manufacturer will come out with a timely patch.

But corporations like Microsoft have time and again, slept on those notifications to such a length of time (6 months to several years) that the good guys are getting fed up with reporting them only to find Microsoft is so reluctant to patch.

On top of that, Microsoft, even after notified of a specific flaw, still takes their time and has their own people probe to see whether the flaw the hackers found is in fact a hack or not.

Finally, once Microsoft's engineers have confirmed in fact that the hackers were correct all along... the hackers already knew it thought... Microsoft just postponed until their engineers could confirm it... Microsoft still postpones the fix until the next month's regularly scheduled update even for critical flaws unless the industry presses them beyond the point which they can postpone further.

So as far as the >>>early release could help criminals to launch cyberattacks and damage a vendor's reputation.<<<

I think the manufacturer's code, the manufacturer's actions taken after notification of the flaw, and the speed at which the manufacturer patches that flaw MUCH MORE important to a vendor's reputation than any early disclosure by a good hacker.

However, none of these seem to have any affect on Microsoft what so ever... but that SHOULDN'T BE the case!

We MUST NOT LET Microsoft continue to get away with their lax security policy after they've been claiming for years that they're working on strengthening their security!!!

Until they do as they say... I think the world should continue to breath down their throats and hold them responsible for their own sloppy security-weak spaghetti code!!!

FWIW
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.