Bug reporting could be a hot topic at Black Hat

June zero-day leads to 'radical' changes in disclosure landscape

How researchers report vulnerabilities -- and how companies react to those reports -- may be one of the briskest topics at this week's Black Hat security conference.

The debate isn't new -- researchers and vendors have quarreled over bug reporting philosophies for as long as the former have found bugs in the latter's software -- but the subject kicked into a higher gear last month.

That was when Tavis Ormandy, a security researcher employed byGoogle, went public with a critical Windows bug just five days after reporting it to Microsoft. Ormandy said he disclosed the vulnerability when the company wouldn't commit to a patching deadline; Microsoft has disputed that, claiming that it only told Ormandy it would need the rest of that week to decide.

Whether it was a breakdown in communications between the two parties or a misunderstanding, Ormandy's publication of attack code for a Windows XP vulnerability -- since patched by Microsoft -- unleashed a heated debate.

Some security researchers criticized Ormandy for taking the bug public, while others rose to his defense, blasting both Microsoft and the press -- including Computerworld -- for linking Ormandy to his employer.

"The upsetting trend, which I imagine has been keeping security companies playing along with Microsoft's silly game, is for Microsoft to call into question the ethics of the reporter, and even if that reporter was acting independently, tying that question of ethics to the reporter's employer," wrote researcher Brad Spengler in an epistle to the Dailydave security mailing list .

Spengler later declined to be interviewed by Computerworld.

But his post was influential: It was widely circulated among security researchers and rekindled the conversation about the Ormandy-Microsoft incident, as well as the larger conversation about when and how bug finders report their discoveries, and how vendors react to those reports.

For years, the debate has been between two concepts: "full disclosure" and "responsible disclosure."

In the former, researchers release information about a vulnerability when they see fit, or after a vendor balks at or delays a patch. The logic: When a bug goes public, companies fix flaws faster under the pressure, which may include the fact that the publication of the flaw has led to actual attacks.

"It's been shown that vendors can move much quicker when there's an exploitation in the wild," said Dino Dai Zovi, a security researcher who will be presenting Thursday at Black Hat.

Responsible disclosure, on the other hand, holds researchers on a tighter rein. Under that philosophy, a researcher privately reports a bug to the software maker -- or to some other organization that reports the vulnerability for them -- then waits for the developer to patch it before publishing details and exploit proof-of-concept code.

It's no surprise that Microsoft , and virtually all other software makers, have touted the latter as safer for customers and makes for more reliable patches.

"[Microsoft's] customers look to the security community to help them," said Mike Reavey, director of the Microsoft Security Response Center (MSRC), Microsoft's in-house security team, in an interview last week. "They don't want the risk amplified by information [going public] before a high-quality update is ready."

But the Ormandy-Microsoft imbroglio did produce some changes, important ones in the eyes of many security researchers.

Google led off last week when it published a missive called "Rebooting Responsible Disclosure," a proposal that featured, among other elements, a call that researchers set a 60-day deadline. If a vendor hasn't patched by then, researchers would be free to take their findings public.

The search giant also raised the maximum payment it would make for bugs in its Chrome browser, following a similar move by Firefox maker Mozilla.

Days later, Microsoft responded by announcing it wanted to change the term "responsible disclosure" to "coordinated vulnerability disclosure," a decision it denied came from the Ormandy event.

Microsoft's Reavey argued, as others have before him, that the word "responsible" carried too much baggage. "When folks use charged words, a lot of the focus then is on the disclosure, and not on the problem at hand," he said.

Researchers applauded the moves by both Google and Microsoft.

"What's really important [about Google's deadline proposal] is that this is coming from a vendor, not a researcher," said Dai Zovi. "Google's saying, 'This is a standard we're going to hold ourselves because we think it's right.' They're leading by example."

Jeremiah Grossman, chief technology officer at White Hat Security, gave Microsoft kudos for tossing the word "responsible" from the discussion. "Even if it's only a renaming and repositioning of Microsoft position, that's a good thing," he said.

Like Dai Zovi, Grossman is slated to present his vulnerability research at Black Hat on Thursday.

"What a change from a year ago," Grossman added, pointing to the increased bug bounties, Google's demand for a patching deadline and Microsoft's acknowledgment that "responsible disclosure" was an inappropriate label. "What a radical departure."

"I don't know if this will be a big topic at Black Hat," said Charlie Miller, a researcher set to present Wednesday at Black Hat. "It may not. But all sides have put their cards on the table now."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags GoogleMicrosoftsecuritySecurity Hardware and Software

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?