Verizon claims full disclosure is the preserve of narcissistic "pimps"
Opinion on whether and how information on security vulnerabilities should be published is frequently divided. Network specialist Verizon's security blog has now weighed in with its 2 cents, with a recent blog entry demanding that the term 'security researcher' be redefined. According to author Wade Baker of Verizon's Business Investigative Response team, the term is a euphemism which covers a broad range of sins. He compares it to calling terrorists "demolition engineers".
He believes it's important to distinguish whether someone is part of the problem or part of the solution. In order to make this distinction, it is, in his opinion, important to assess how information on vulnerabilities is used. He proposes four categories (to be taken perhaps with a pinch of salt) which will in future be used by Verizon: security researcher, security practitioner, narcissistic vulnerability pimp and criminal.
Researchers are people dedicated to analysing security problems and how to resolve them. Practitioners apply solutions developed by researchers in order to make things more secure in practice. Narcissistic vulnerability pimps publish information on vulnerabilities without consulting the vendor, thereby making systems less secure.
Baker, who also helped write Verizon's Data Breach Investigations Report 2009, points out that many commonly used analogies on the issue of responsible disclosure of security problems are wide of the mark. Publishing details of a defect in a car without consulting the manufacturer, for example, does not, he notes, increase the risk for the driver. Doing the same for software, however, does increase the likelihood of someone exploiting a vulnerability to carry out attacks. According to Wade, information on vulnerabilities should, for the good of users, be kept under wraps until a solution has been found.
If we follow 'practitioner' Wade Baker's definitions, one person who would becomes a narcissistic vulnerability pimp is Tavis Ormandy of Google's security team. He recently published information on a critical vulnerability in Java which vendor Oracle did not consider sufficiently critical to merit releasing an emergency patch outside its three-month patch cycle. Shortly thereafter, Oracle suddenly realised that it did, after all, need to release a patch.
H.D. Moore predicted and criticised just this kind of behaviour at the last RSA conference. The Metasploit developer also regularly publishes details of vulnerabilities without consulting vendors, who in turn accuse him of irresponsible behaviour. Moore has, however, found that, "Software vendors never provide a fix for a researcher-discovered vulnerability within the time span they initially propose. It doesn't matter whether it's 30, 60, 90 or 120 days, they never meet their own deadlines." When an exploit turns up on a forum, a fix is, he notes, ready within ten days.
Although Baker perhaps goes more than a little over the top in his redefinitions, he does at least give pause for thought to reconsider current terminology. When exactly is someone a security researcher, an activist or a profiteer?
- Java exploit launches local Windows applications, a report from The H.