Responsible Disclosure — Reflections on the Past 20 years
It’s hard to believe that over 20 years have passed since Steve Christey and Chris Wysopol published the first substantive call for an overhaul of how vulnerabilities are reported, and Tom Parker and I, virtually simultaneously with them, published a couple far more casual articles on Security Focus detailing the problem and possible solutions. With a major hand wave, I’ll summarize the past two decades as ‘the more things change the more they stay the same.’ Yes, we’ve had fantastic progress in the Bug Bounty space (thank you HackerOne and bugcrowd!) and well-meaning vulnerability researchers have faced fewer public cease and desist orders (many of us remember being there in 2002 in solidarity with you, Kevin Finisterre/dotslash). We’ve unfortunately also watched the more recent and incredibly dangerous leaking of EternalBlue and the damage that can come from (a variety of) governments hoarding zero days rather than responsibly disclosing their underlying vulns.
It feels like we haven’t progressed nearly as fast as we thought we would over the past 20 years, though we have developed more of a consensus on the appropriate ways to handle such dangerous information. We are now fully in a world where every company and government agency chooses to solve the problem their own way. Charlie Miller published a paper in 2007 about the then-current state of the private exploit market and Dan Kaminsky gave a great talk at Blackhat in 2008 on the subject. Then 6 years later Dan Geer suggested that the US government simply buy all available exploits at inflated prices to control the market. The sad state is that the future answer remains quite similar to the past answer. I’m sure that’s a controversial stance as we now have Coordinated Vulnerability Disclosure (CVD) and we didn’t back then. iDefense and Tipping Point solved that problem — right? And now most major technology companies have bug bounty programs (Facebook, Netflix, Google, Yahoo!, etc.). Yet the problem continues to grow, unabated. Even the normally staid Department of Defense launched a “Hack the Pentagon” program in 2016 which it greatly expanded into a full fledged bug bounty program in mid 2021.
In 2022, there are still way too many approaches and disclosure processes. Google indicates that its researchers disclose their findings to vendors with a 90 day window before public announcement (but only offer 7 days for actively exploited 0 days — which it defines for itself). HackerOne (typically) offers 180 days. And the hundreds of other companies that have similar programs each do so under their own terms.
On the Federal side, CISA published its directive (BOS 20–01) in September of 2020 requiring federal agencies to implement vuln disclosure programs. You read that correctly, it wasn’t until 2020 that this happened. And only a handful of EU members have national CVD policies.
Returning to my reminiscence about dotslash, in October 2021 Missouri Governor Mike Parson threatened legal action against a reporter when the St. Louis Post-Dispatch responsibly notified the Department of Elementary and Secondary Education that social security numbers were available online. (In the words of a famous, and quite contentious historical figure “all great world-historic facts and personages appear, so to speak, twice…the first time as tragedy, the second time as farce.”)
Fortunately, governments have begun closing these loopholes to some degree. In addition to the CISA BOD 20–01, the US Department of Justice recently announced that it will not pursue security researchers acting in good faith under the Computer Fraud and Abuse Act.
The Vulnerability Equities Process (VEP) governs the United States Government’s management of the vulnerabilities it finds, and allows it to decide which it will weaponize and retain and which it will responsibly disclose. Our track record is unfortunately not so great here (I’ll whisper Shadowbrokers and leave it at that).
All doom and gloom? Mostly, but here are some broad brush approaches:
We should find ways to make responsible disclosure to vendors (and then to the public) more lucrative than selling to governments who are weaponizing the information, even though intelligence agency pockets tend to be much deeper (back to Dan Geer’s reality). Vendors are increasingly recognizing the damage done to their bottom lines when exploits are developed (especially if they had an opportunity to obtain the vulnerability information in advance). That implies prices will continue to rise, though how fast remains to be seen.
We would benefit from greater consensus on the value of the information (to reduce asymmetric information issues) and disclosure timelines may also be useful. Vulndb.com is insufficient here. But the chances of forcing intelligence agencies to disclose their purchases rounds to 0. Maybe software developers need to start publishing their payments as embarrassing as that might be.
We clearly still need far more education of government (and business) leaders on appropriate reactions and responses when approached by security researchers. Congress passed the National Cybersecurity Preparedness Consortium Act of 2021 to enable Homeland Security to help prepare our government. Perhaps part of the preparedness could be relevant education of our leaders on these issues.
Perhaps I should stop venting and start bothering people in this community to try (again) to solve the problem. All new ideas welcomed!
For Further Reading / Supporting Evidence:
https://datatracker.ietf.org/doc/html/draft-christey-wysopal-vuln-disclosure-00
https://web.archive.org/web/20040103111648/http://securityfocus.com/guest/10711
https://web.archive.org/web/20031011063221/www.securityfocus.com/guest/14155
https://www.cnet.com/tech/services-and-software/security-warning-draws-dmca-threat/
https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/
https://econinfosec.org/archive/weis2007/papers/29.pdf
https://www.youtube.com/watch?v=7Pp72gUYx00
https://www.wired.com/2014/08/cia-0day-bounty/
https://www.hackerone.com/product/response-vulnerability-disclosure-program
https://www.cisa.gov/binding-operational-directive-20-01
https://www.theatlantic.com/technology/archive/2017/05/shadow-brokers/527778/
https://www.congress.gov/bill/117th-congress/senate-bill/658/text
