This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; charset=UTF-8
By Joris Evers
Staff Writer, CNET News.com
August 17, 2006
Bug hunters are turning the tables on software makers in the debate over
In recent years, software companies have hammered out rules with
researchers on disclosure, which cover how and when vulnerabilities are
made public. Now flaw finders want something in return: more information
from software providers on what they are doing to tackle the holes the
researchers have reported.
"We have gone from the old 'full disclosure' to 'responsible disclosure'
debate, to a debate over 'The vendor has the information--what does it do
with it?'" said Steven Lipner, senior director for security engineering
strategy at Microsoft.
Software vendors need to establish protocols for interacting with
researchers who share bug information, experts said. If they don't, they
could risk losing the progress that has been made towards responsible
disclosure of flaws.
Many bug hunters now understand and follow the "responsible disclosure"
guidelines advocated by software companies. Under this approach, a
researcher who uncovers a flaw will, as a first step, contact the maker of
the affected software and share details of the vulnerability.
In the past, researchers tended to favor full disclosure, in which they
would publish details of security flaws they had found on mailing lists or
on security Web sites, regardless of whether a fix was available.
However, companies want to keep bug details under wraps at least until a
patch is ready. They argue that with a patch, users of the flawed software
can plug the hole and protect themselves against possible attacks. By
contrast, with full disclosure vendors are sent scrambling to fix a flaw,
while customers are exposed.
"The tension has always been the same," said Gartner analyst Paul Proctor,
who moderated a panel discussion on disclosure at the recent Black Hat
security conference. "Researchers want the vendors to be more aggressive,
and the vendors want the researchers to show more discretion. While they
both have the same goal of a more secure Internet, their perspectives are
While many researchers now follow responsible disclosure practice, some
feel that their conscientiousness is not being reciprocated. In many
cases, the say, they run into a brick wall or get a limited response at
the software maker, which pays them little respect for their work.
"There is nothing more frustrating then trying to help a vendor secure its
product in good faith and not getting decent communication back in
return," said Terri Forslof, security response manager at TippingPoint,
which sells intrusion prevention systems. Forslof is responsible for
sharing flaw details with vendors through TippingPoint's Zero Day
Initiative bug bounty program. Others agree: Her comments echo the
sentiments expressed by many researchers at the Black Hat panel
There is a simple recipe for satisfying flaw finders, Forslof said. A
company should acknowledge the issue; provide ongoing information on the
status of a fix; and be open with the researcher about the processes
involved in producing an update.
"An open line of communication is essential," said Michael Sutton, one of
the Black Hat panelists and director of VeriSign's iDefense, which deals
with software makers and vulnerability researchers. "It is the vendor's
responsibility to proactively update the researcher on a regular basis on
the progress that is being made in patching the issue."
Much progress has been made, and security researchers and software makers
are working better together today than ever before, said Proctor. However,
many companies need better processes for dealing with bug hunters, he
"I would like to see the growth of aggressive, formalized programs to work
with researchers who find vulnerabilities," Proctor said.
Flaw finders who contact software vendors are typically well-intended
security professionals, or enthusiasts who like to test the vulnerability
of software. Several companies, including TippingPoint and iDefense, pay
researchers for flaws they find and use the information in products to
protect their clients' systems.
But complying with researchers' request for more information is not that
easy, John Stewart, chief security officer at Cisco Systems, said during
the Black Hat discussion. Acknowledging a potential flaw might have an
adverse effect on security, he said.
"We can create undue attention onto something that might hurt our
customers," Stewart said. "If we know, to the best of our knowledge, that
there is a weakness in our product, we're attempting not to draw further
attention to it."
Companies all operate differently when it comes to dealing with bug
hunters. Microsoft has set a good example, accepting that it needs to work
with the security community, Proctor said. "Cisco is moving from anger to
acceptance, and Oracle from denial to anger," he said.
Cisco has worked hard to get into the good graces of the hacker community.
It threw a party at a Las Vegas nightclub for Black Hat attendees and sent
senior security staff to the event. That's in contrast to the previous
year, when the networking giant sued a security researcher and alienated
itself from the community to the extent that T-shirts with anti-Cisco
slogans sold well at the Defcon hacker event that follows Black Hat.
Oracle appears to be easing up a little on the security front. Its chief
security officer is now blogging, and the enterprise software company is
talking to the press about security topics. However, it is still often
critiqued for its unwillingness to deal openly with researchers.
Without communication, vendors risk losing the progress made toward
responsible disclosure. Turned off by a cold response, bug hunters
increasingly put pressure on software companies and go public with flaws,
instead of going the responsible route, said Tom Ferris, an independent
security researcher in Cupertino, Calif.
"I see more researchers not work closely with vendors and just giving them
a 30-day grace period before going public with the flaws," Ferris said.
Copyright =C2=A91995-2006 CNET Networks, Inc. All rights reserved.
Content-Type: text/plain; charset="us-ascii"
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/