"Software makers are at the mercy of bug hunters when it comes to flaw disclosure, Mozilla's security chief said Saturday.
The software industry for years has pushed guidelines for vulnerability
disclosure. Those "responsible disclosure" efforts have had some
effect, but security researchers maintain control over the process,
Mozilla security chief Window Snyder said in a panel discussion at the
ShmooCon hacker event here.
"The researcher has all the power," Snyder said. "They control
when they disclose it, and they control the idea whether or not the
vendor responds in time." "
...
"Another frequent point of criticism is the time
it takes for a fix to be released and for the researcher to get credit
in a security alert.
"Vendors have a real responsibility to respond to what's reported to them," said Snyder, who previously worked at Microsoft.
But not everyone buys into responsible disclosure. It is a trap
set by software makers, said panel member Dave Aitel, of security
software firm Immunity. "Responsible disclosure is a marketing term,"
he said. "Responsible disclosure plays into the hands of Microsoft and
other big vendors...they are trying to control the process."
Instead of disclosing a flaw to the vendor, Aitel wants bug
hunters to sell vulnerability information to him. Immunity pays bug
hunters for details on security vulnerabilities and uses those in his
company's products, which include penetration-testing tools that can be
used to break into computers and networks. " - ZDNET
<rant>
I agree with Window, vuln finders do have all the power. I also agree with Dave Aitel in that vendors do want to control
the process. Frankly if a researcher finds a flaw and reports it to the vendor first, the vendor should be kissing their ass
for not going to the news first, or selling it to the blackhats. The vendor also should act as quickly as possible
for their organization to roll out a fix to protect their customers as well as have a friendly relationship with
the security researcher. If the vendor is unable to identify how to fix the problem internally they should consult
a third party (the researcher if need be).
I also believe that certain vulnerabilities are worth a lot of money, however this entirely depends on your motives.
If you are a researcher who only cares about the problem getting fixed, then only telling the vendor is required, assuming
they address it within a reasonable amount of time. If the vendor blows you off or tries to hush you then by all means
disclose. If you are are a researcher who wants to profit from their hard work and are considering selling it to a
company like immunitysec, tippingpoint or idefense then by all means sell to the highest
bidder. I however would strongly suggest that you do not try and sell it to the vendor who is affected by the issue, you
will be sued and things will not go your way. If you are a person that profits from this vulnerability by protecting
your customers from it (tippingpoint,immunitysec,idefense), then start reconsidering your pricing models and open your wallets.
The researchers know you profit from it and are becoming aware that you need them.
</rant>
