ZDNet UK / News and Analysis / Application Development

Bug-reporting protocol draws flak

By Matt Loney, ZDNet.co.uk, 27 February, 2002 13:40

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

IETF, anarchy, scott culp, Software security, Bug, Georgi Guninski

NEWS
A draft protocol designed to lay down guidelines for a responsible method of reporting security bugs will let software vendors off the hook and stigmatise those who report bugs, say critics. The draft document, published earlier this month by the Internet Engineering Task Force (IETF), is drawing criticism on several fronts, not least because one of the authors is Scott Culp, manager for Microsoft's security response centre. It was Culp, who in his call for more responsible reporting, decried the information and example code released by some companies and independent security consultants as "information anarchy". With its draft protocol, the IETF recognises that during the process of disclosure, many vendors, security researchers, and other parties follow a variety of unwritten or informal guidelines for how they interact and share information. "Some parties may be unaware of these guidelines, or they may intentionally ignore them," says the document. "This state of affairs can make it difficult to achieve a satisfactory outcome for everyone who uses or is affected by vulnerability information." The purpose of the document, says the IETF, is to describe best practices for a responsible disclosure process that involves vulnerability reporters, product vendors or maintainers, third parties, the security community and ultimately customers and users. But it has drawn criticism for its similarity with Scott Culp's essay on the subject, leading to obvious charges that Microsoft is trying to get off the hook for security vulnerabilities in its products. Noted security guru Georgi Guninski pointed out that the IETF draft is "quite similar to (the) Seattle users' rant." However, Guninski saves his major criticisms for specific parts of the draft document. In particular, Guninski points to section 3.6.2, which deals with "Reporter Responsibilities". This part of the document states that the reporter should recognise that it may be difficult for a vendor to resolve a vulnerability within 30 days. It gives several examples of where this may be the case: first, when the problem is related to insecure design; second, when the vendor has a diverse set of hardware, operating systems, and/or product versions to support; and third, when the vendor is not skilled in security. In any of these circumstances, says the document, the reporter should grant time extensions to the vendor "if the vendor is acting in good faith to resolve the vulnerability." This is dangerous, says Guninski. First, he points out that it would allow vendors to label reporters as "irresponsible" under the terms of the protocol, "while shifting the focus from their buggyware". As an example, Guninski draws on the recent disclosure of a bug in Microsoft's .Net framework and the Windows operating system by software risk management firm Cigital. Although Cigital said it followed the unwritten rules of responsible disclosure in the company's announcement, some security experts -- including Microsoft -- criticised it as being irresponsible. "So the vendor denies this is any kind of bug to avoid negative publicity and instead the reporter is labelled irresponsible," said Guninski. Guninski is also adamant that the software and security communities should encourage disclosure of bugs whether or not they are fully and publicly disclosed. "People with skills will always find bugs, but they may not disclose them," he said. "I don't find it logical for it to be responsible to sell under-tested and under-quality software, and for it to be irresponsible to disclose a bug," he said. Furthermore, any vendor who sells software with disclaimers that disclaim any liability should not use the word "responsible", according to Guninski. And in a final sideswipe against Microsoft, he adds: "I personally have disclosed vulnerabilities since 1996 about Oracle, IBM, Microsoft, Netscape, FreeBSD, OpenBSD, Sun and others. Only one of the above has claimed I am irresponsible." The full IETF draft document can be found here.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section. Have your say instantly, and see what others have said. Go to the Security forum. Let the editors know what you think in the Mailroom.

Related stories

Microsoft decries information 'anarchy'

Group to set bug-reporting standards

Did MS bug alarm go off too early?

Perens: Linux could learn from Apple

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

kevinmchapman

Er, no... It is an efficient means of finding the application/file/setting you need in one place. The icons are a simply a fallback for when you...

7 minutes ago by kevinmchapman on A tale of two distros: Ubuntu and Linux Mint
TerryRK

Isn't the provision of a text based search an admission by the developers that the mass of icons approach does not work? I don't need to use a...

1 hour ago by TerryRK on A tale of two distros: Ubuntu and Linux Mint
kevinmchapman

"Unity and GNOME 3 both abandon the old text-based cascading menus in favour of a graphical icon-driven system." Point truly missed. Both use a...

2 hours ago by kevinmchapman on A tale of two distros: Ubuntu and Linux Mint
TerryRK

whs001 - Thank you, I'm glad you liked the article. I absolutely agree with you on your first point. I should perhaps have made it clearer that...

2 hours ago by TerryRK on A tale of two distros: Ubuntu and Linux Mint
Dennis Nilsson

If we allow corporate interest to dictate the way our government circumvents due process against foreign entities then we should accept the same...

3 hours ago by Dennis Nilsson via Facebook on ACTA stumbles in Germany
GHar123

I totally dislike pirating of works, I fear that artists will be deterred from creating works if they think that they are going to get ripped off....

5 hours ago by GHar123 on ACTA stumbles in Germany
JCB33

How dare film makers, artists or anybody that invests in creativity stop us pirating their works for free. I want to be able to walk into my local...

10 hours ago by JCB33 on ACTA stumbles in Germany
Moley

@GrueMaster. I prefer horses for courses rather than one size fits all. I, and I suspect most other computer users, do not really wish to have...

13 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
greycynic

The product that scares me every time I have to use it is the Office 2007 version of Excel. The first bug that I found was applying the median...

13 hours ago by greycynic on Ten flawed products that derail productivity
GrueMaster

Nice review and very informative. One thing I'd like to add (in reply to whs001's 1st question), the main reason to have the same interface from...

14 hours ago by GrueMaster on A tale of two distros: Ubuntu and Linux Mint
Frederick Wrigley

I'be been using Mint 12 since the RC came out, and I am far more happy with the Cinnamon, the Mate, and, yes (with extensions), theGnome 3...

15 hours ago by Frederick Wrigley via Facebook on A tale of two distros: Ubuntu and Linux Mint
bdantas

Excellent article. One small correction, though--although a fresh installation of Linux Mint 12 will, indeed, provide the user with a version of...

16 hours ago by bdantas on A tale of two distros: Ubuntu and Linux Mint
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

16 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

16 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Moley

For Gnome 2 die-hards, it is possible to add icons to the bottom panel (or top top panel, if you prefer) which provide the exact Gnome 2...

17 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
ramwellian

Your comments would seem pretty naive and immature. Your 'solution' appears to be, "gee, let's all just give in to the hackers and give them...

17 hours ago by ramwellian on Cloud computing security: no more oxymoron?
BugStalker

"Interesting thought ... If you installed Win7 as a dual boot on a machine that previously only had Linux, and it wrecked your Linux installation,...

17 hours ago by BugStalker on Windows 7 Declares War on GRUB
whs001

This is an excellent summary of Ubuntu and Mint and the interface differences between them. Most such articles take a very partisan position for...

17 hours ago by whs001 on A tale of two distros: Ubuntu and Linux Mint
Moley

@ewallace. Not so clear. Anyone can obtain the text, for example from here http://www.ustr.gov/webfm_send/2379. I support ACTA so long as it and...

18 hours ago by Moley on ACTA: Facts, misconceptions and questions
45283

I think WinRT is fantastic. I just wish it was an option for people that didn't want to go through Microsoft's App Store with its attendant...

21 hours ago by 45283 on Why Windows 8 needs architectural hygiene for WOA

Latest in Application Development

Perens: Linux could learn from Apple

Featured white papers

The Relevance of Cloud Infrastructure to Enterprise Challenges

SAVVIS

The Relevance of Cloud Infrastructure to Enterprise Challenges

This white paper reviews the evolution of data center outsourcing, and introduces cloud offerings within this historical... Read more

Use product development for competitive advantage

IBM

Use product development for competitive advantage

Remember when MP3 players just played music? Today, consumers want players that can host music, stream video,... Read more

Open-source software deployments for enterprise IT success

Progress Software

Open-source software deployments for enterprise IT success

Wikipedia identifies open source as "enabling a self-enhancing diversity of production models, communication paths... Read more

Inside ZDNet UK

A tale of two distros: Ubuntu and Linux Mint

A tale of two distros: Ubuntu and Linux Mint

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

BlackBerry Bold 9790

BlackBerry Bold 9790

How to handle data replication

How to handle data replication

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault