On bug disclosure and contact with vendors After ...
Halvar Flake (halvar) <halvarflakesabre-securitycom> Saturday, June 24 2006 01:37.00 CDT


On bug disclosure and contact with vendors

After reading HDMs blog entry on interaction with MS on one of the recent bugs, I guess I should drop my 2cs worth of opinion into the bowl regarding bug disclosure:

So sometimes I get the urge to find bugs. Then I go out and sometimes I find bugs. Then I usually feel quite happy and sometimes I even write an exploit. I do all this out of personal enjoyment -- I like bugs. I like having to play carambolage billard to get an exploit to work (meaning having to bounce things off of each other in weird angles to get stuff to work). Now, of course, once I am done I have several options on what to do with a bug.
  1. Report it to the vendor. This would imply the following steps, all of which take up time and effort better spent on doing something interesting:
    1. Send mail to their secure@ address, requesting an encryption key. I think it is amusing that some vendors like to call security researchers irresponsible when the default channel for reporting vulnerabilities is unencrypted. That is about as irresponsible as the researchers talking about vulnerabilities on EFNET.
    2. Get the encryption key. Spend time writing a description. Send the description, possibly with a PoC.
    3. MSRC is a quite skilled bunch, but with almost any other software vendor, a huge back and forth begins now where one has to spend time explaining things to the other side. This involves writing boring things explaining boring concepts etc.
  2. Sell it to somebody who pays for vulnerabilities. While this will imply the same lengthy process as mentioned above, at least one can in theory get paid for it. Personally, I wouldnt sell bugs, but that could have several reasons:
    1. I am old and lame and cant find bugs that are good enough any more
    2. The few bugs that I find are too close to my heart to sell -- each good bug and each good exploit has a story, and I am not so broke that Id need to sell something that I consider inherently beautiful
    3. I dont know the people buying these things. I dont know what theyd do with it. I wouldnt give my dog to a total stranger either.
  3. Keep it. Perhabs on a shelf, or in a frame. This implies zero effort on my side. It also gives me the joy of being able to look at it on my wall and think fondly of the story that it belonged to.
So in case of 1), after having spent weeks on a bug, I have to spend more time doing something unenjoyable, and get a warm handshake with the words thanks for helping secure (the internet/the world/our revenue stream.
In case 2), I get a warm handshake, some money, and a feeling of guilt for having given my dog to a total stranger.
In case 3), I have something to look at with fond memories and have to invest no time at all into things that I dont find interesting.

What would be your choice ?

Comments
Posted: Wednesday, December 31 1969 18:00.00 CST