Responsibility RFC

cyrillic logo
Home
Security
Internet Explorer
Windows 2000
AIX
Netscape
Misc
Other
Links
Services
In the news
Contact
guninski@guninski.com

Here are some thoughts on the so called "Responsible Vulnerability Disclosure Process"
http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt
I am posting to this mailing list because there are some people from
interesting domains (not counting script kiddies and seattle users) and
because for a number of reasons I do not post to Bugtraq anymore.
This draft RFC is quite similar to seattle users's rant at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/noarch.asp
It's no surprise this user Scott Culp has given "constructive comments" to the draft RFC (Section 6 of the original draft).

A *very good reading* for the above topic is
http://www.attrition.org/security/rant/z/ms-disclose.html
written by Jericho (security curmudgeon)

Anyway I disagree with at least the following from the draft RFC:
<snip>
3.6.2 Reporter Responsibilities

   1) The Reporter SHOULD recognize that it may be difficult for a
   Vendor to resolve a vulnerability within 30 days if (1) the problem
   is related to insecure design, (2) the Vendor has a diverse set of
   hardware, operating systems, and/or product versions to support, or
   (3) the Vendor is not skilled in security.

   2) The Reporter SHOULD grant time extensions to the Vendor if the
   Vendor is acting in good faith to resolve the vulnerability.

</snip>

Here are my arguments in no particular order:

*) this may allow vendors to label reporters as "RFC compliant
irresponsible" while shifting the focus from their buggyware.
Example: Recently Cigital disclosed a flaw in a claimed feature in
microsoft's compiler. While in public forums microsoft claimed this is not
a flaw but a feature, at http://news.com.com/2100-1001-838096.html
the media wrote
<snip>
Some security experts criticized the quick public announcement as irresponsible.
</snip>
So the vendor denies this is any kind of bug yet to avoid negative publicity
and instead the reporter is labeled "irresponsible"

*) The community should encourage *disclosing* bugs even if they are fully
disclosed. People with skills will always *find* bugs while they may *not
disclose
* them. Ever thought how many 0days are out there?
And some high profile sites continue get defaced.

*) I don't find it logical to be "responsible" to sell undertested and
underquality software and to be "irresponsible" to disclose a bug.

*) Any vendor who sells software with disclaimers which disclaim any
liablity SHOULD NOT use the word responsible.

*) I personally have disclosed vulnerabilities since 1996 about Oracle, IBM,
Microsoft,Netscape, FreeBSD, OpenBSD, Sun and others.
Only one the above has claimed I am irresponsible.

Just my 2 stotinki,
Georgi Guninski
http://www.guninski.com



 
 

| Home | Internet Explorer | Windows 2000 | AIX | Netscape | Links | More... |