Which is the right way to Disclose?

[JollyJokker]

Hello all,

Happy New Year to everyone! Excuse me if this post should not be in this column but I couldn't  figure out where I should put it.

I have discovered a vulnerability in a commercial Application. I am thinking of disclosing it. So, my question is: which one (of all) is the right procedure to follow?

In the beginning I was thinking of directly contacting the vendor itself, but after reading these guidelines (http://www.cert.org/kb/vul_disclosure.html), I am considering CERT as well.

How do you usually handle disclosure?

[sil]

To disclose or not to disclose... The tough question. So far I've dealt with: CERT, Microsoft, ZDI, iDefense, Cisco, Juniper, Foundry, F5 Networks, IBM, SAP, Digium, CACE (Wireshark), Symantec, VMWare, Trend Micro and some others (quite a few eh?)... The first questions to ask yourself is: 1) Is it a mission critical bug where it needs fixing RIGHT NOW 2) What is the purpose of your disclosure, for the sake of getting the bug fixed, for the sake of adding your name alongside a CVS number (don't laugh careers are built on it)

In re: 1) If it's mission critical, I suggest finding the appropriate contact at the vendor AND cc'ing CERT on your submission. This holds the vendor responsible since its not a secret between two parties - CERT is acting as a proxy

In re: 1) Dealing directly with CERT bypassing the vendor is a horribly long process, I know this because I have about 52+ issues with them on ONE vendor alone.

Or re: 2) If the purpose of your disclosure is fortune or fame, head over to ZDI and get paid for the research WHILE keeping your name on the advisory.

What you want to do is give the vendor time to replicate the issues while holding them accountable. For example, ZDI has a 6 month time frame for the vendor to provide a fix. (http://dvlabs.tippingpoint.com/blog/2010/08/03/zdi-disclosure-changes) In doing this (setting a time limit) they're giving the vendor the opportunity to get it right as opposed to just leaving things up in smoke. I have dealt with a vendor now for 2 1/2 years whose yet to respond to my advisories. Because of the sensitivity of the bug and the application it affects (it is a huge one) I decided to just shrug my shoulders. Someone else will eventually re-discover it. So you have a choice to make that no one can answer... Disclose it to the vendor, disclose it to CERT, disclose it to a brokering house (ZDI, iDefense, etc)... Whichever you choose, I would also put forth in writing a timetable of at least MINIMUM 3 months for a resolution. Otherwise vendors won't take it serious and you will see something lingering for years on end (HP has had bugs out there for over 3 years).

[chrisj]

Sil,

Maybe this is a silly question, but why can't you add ZDI to option 1 too? Notify Vendor, CERT and ZDI (or other org).

[sil]

When you go the ZDI route, you're on a disclaimer that states: "You will only deal with ZDI, give them your first child and not talk about Fight Club until we finish doing what we have to do..." Seriously... When you go the ZDI route, you're allowing them to be your proxy for all of this. They WILL give you credit for the find if you choose to disclose who you are. The better part of going through ZDI is few-fold 1) You make money from your work 2) They're very good at getting things fixed versus "Nobody sent in a security advisory..." A company is likely to throw you on the backburner until they're ready (if they even look at it) versus ZDI coming along where the vendor has likely dealt with them and knows there will be a disclosure in 6 months like it or not

[chrisj]

thanks sil

[g00d_4sh]

Nice.  I've often wondered what the best options were for this as well, as I've heard from both sides.  People trying to make some money off their hours of work... and friends of mine who own companies and don't want to feel extorted.  Good write up Sil, along with justifications for the various routes.

[JollyJokker]

Thank you very much for the insight,

From what I've seen, 99% of ZDI disclosures regard vulns in popular and wide spread applications such as MS, Adobe, Mozilla, Apple, Cisco etc.

Should I get to the conclusion that ZDI is only interested in such "popular" applications?

[sil]

@Hordakk, no they don't only focus on the top vendors but you have to understand what is behind ZDI to determine whether or not it's even worth approaching them.

Let's take two applications, they'll be printer applications. One will be from vendor MyHomePrinterCompany and the other will be from say Xerox. Which vendor do you think is more likely to appear in corporations?

Tipping Point is/was behind ZDI and Tipping Point makes their money off of Intrusion Prevention Systems. The purpose/theory behind ZDI was that, ZDI would have the first and only signatures for attacks not disclosed. They'd be able to protect their customers against potential attacks. They'd take your work, create sigs to protect their clients, then get on vendors to provide the fixes.

Their strategy is/was, get the researchers to submit their bugs, pay the researchers for their work. The researchers, because they were making money, were likely to go out on an all-bug-hunting spree and discovery vulnerabiltiies before malicious attackers did and get them over to ZDI for cash. However, I wouldn't be surprised if some malicious researchers double dipped, created exploits to use, sold them to ZDI and still used them. The only prevention against this is an NDA... (irrelevant but needs mention). (BTW sure dynamic and static analysis of code in the wild would discover double dipping, but a carefully placed zomfg!@$ my machine was pzwnred would remove doubt of double dipping)

So anyhow, to answer your question, ZDI will accept almost anything if it is likely to be used in a corporate environment. You see names like Apple, MS, Oracle, etc., because obviously they're in use 24/7.

[cd1zz]

Hordakk

I recently discovered my first bug and was trying to figure this out as well. The bug I found wasn't very exciting, it impacted an FTP server that can be found on like page 15 of google search results. None the less, I contacted the vendor and they fixed it promptly, within 2 weeks. They were pretty gracious actually. After they fixed it I submitted it to exploit-db.com.