Not yet another Full Disclosure vs Responsible Disclosure debate

I have been interested in IT-Security since I was 16 or 17. Back then I was fascinated by basic concepts and the idea of exploiting weaknesses within a network, piece of software or simply human stupidity. It was exciting to see that the Internet is full of amazing websites, providing security enthusiasts with tools, source code, tutorials, exploits and any other sort of knowledge.

One thing I love to do since the beginning of this year is web penetration testing, and source code + security assessment. In most cases it is easy and most vulnerabilities fall within a typical category, such as SQL injection or local file inclusion. Web security is also often easy since you don’t need to craft any shellcode or possess deep knowledge about some kernel architecture and memory stuff. Although I always read stuff about assembler, memory registers, page swapping, the memory management unit, the translation lookaside buffer etc. in order to gain more knowledge about complicated stuff :P, it is still very fun to exploit obvious vulnerabilities.

Most of them are easy to find and also very easy to exploit.

When I started to publish advisories and exploits, I first contacted the software vendors. The purpose was to give them time to fix the vulnerabilities before I publish any documents. In some cases the vendors replied within minutes, being thankful for the support. Some of them didn’t reply at all and just ignored me and others published my email in public message boards and asked for advice. The consequences were quite funny in the last case. Some users of those message boards gave the advice to send me to hell, because they suspected me to only want to have the software for free for my “vulnerability assessment” (when it was commercial software).

Since some vendors just ignored my mails and left the vulnerabilities unfixed and since others replied not within 14 days, I decided to switch over to irresponsible full disclosure. The result was very amazing: Most vendors suddenly fixed all vulnerabilities within days or even hours, mostly because their customers notified them and demanded to react. Until now, no vendor ever was angry. Quite the opposite: I only received very friendly mails, asking me for help or thanking me for my work. I find this surprising since I am also damaging their vendor image at the same time. For this I don’t feel guilty, but I would understand if a vendor would be annoyed. Maybe I would if I sold software for a few hundred Euro and someone just published a vulnerability without contacting me first.

But well, my experiences with them shows that full disclosure indeed has many positive effects and sometimes you even get mentioned in public blogs or release notes of the affected software. Thank you for staying cool, software vendors!

Most authors being listed in exploit databases, such as Exploit DB or packet storm, do this work for fun and some of them never even hack websites. It is just the challenge of finding and exploiting a vulnerability which lets some of us sitting in front of the computer, instead of enjoying the warm weather outside or going out with friends.

But back to topic:

Many people are truly against full disclosure since
a) the vendors were not given any time at all for a reaction,
b) other people could exploit the new knowledge for their own purpose and e.g. immediately break into affected websites,
c) the image of the vendor and software gets damaged or
d) sometimes the information about a vulnerability is simply wrong or not described correctly.

I have seen information about vulnerabilities, e.g. stating that a local file inclusion was found. After having a look at the software on my Linux test box, I found out that there is no vulnerability at all. In such cases both the vendor and the customer (respectively the software user) are confused in may ways. They don’t know if they should do something about it, and when they want to do it, they can’t find the vulnerability at all. The customers think that the product is insecure and maybe switch over to another app, or even shut down their own website.

All those things are very good arguments and I can understand everyone claiming that full disclosure can be destructive.

On the other hand, full disclosure got many advantages, some of them are
a) e.g. the vendor is forced to do something, since also the customers may know about the weakness.
b) Many vendors simply react faster.
c) The knowledge about the vulnerability and how to exploit it is shared and other people can learn from it.
d) The customers, respectively the software users, have a right to know that the software is vulnerable and that their website/systems are affected.

Drawing the consequences of the last eight months, I will continue to publish everything I know a few hours after I found a vulnerability. Since the OSVDB and secunia often publish my vulnerabilities and notify the vendors, I even don’t write them anymore on my own. They also get notified by their customers anyway.

I am not performing any vulnerability or even binary assessment on software which needs to be compiled, so I believe the damage which could be done with the vulnerabilities being published by me is not that high. But I still understand that I carry some responsibility and should act accordingly. If you also publish vulnerabilities from time to time, I highly recommend that you also help the vendors to fix their bugs. This is only fair.

You can find more arguments and details about this debate in this blog post.

One thought on “Not yet another Full Disclosure vs Responsible Disclosure debate

Comments are closed.