Software makers are at the mercy of bug hunters when it comes to flaw disclosure, Mozilla's security chief said on Saturday.
The software industry for years has pushed guidelines for vulnerability disclosure. Those "responsible disclosure" efforts have had some effect, but security researchers maintain control over the process, Mozilla security chief Window Snyder said in a panel discussion at the ShmooCon hacker event in Washington.
"The researcher has all the power," Snyder said. "They control when they disclose it, and they control the idea whether or not the vendor responds in time."
Releasing vulnerability details has been hot topic for years. The software industry advocates private disclosure of a bug and time to fix it before a researcher goes public, a practice the industry calls responsible disclosure. After all, early release could help criminals to launch cyberattacks and damage a vendor's reputation.
Security researchers who follow the industry's guidelines are often frustrated by a lack of response from software makers. Another frequent point of criticism is the time it takes for a fix to be released and for the researcher to get credit in a security alert.
"Vendors have a real responsibility to respond to what's reported to them," said Snyder, who previously worked at Microsoft.
But not everyone buys into responsible disclosure. It is a trap set by software makers, said panel member Dave Aitel, of security software firm Immunity. "Responsible disclosure is a marketing term," he said. "Responsible disclosure plays into the hands of Microsoft and other big vendors... they are trying to control the process."
Instead of disclosing a flaw to the vendor, Aitel wants bug hunters to sell vulnerability information to him. Immunity pays bug hunters for details on security vulnerabilities and uses those in his company's products, which include penetration-testing tools that can be used to break into computers and networks.
Chris Wysopal, chief technology officer and founder of security review company Veracode, disagreed that bug hunters are always in charge. "We see a lot of threats," he said. "Being on the receiving end of legal threats isn't an easy thing."
If a company unleashes its legal wrath onto a security researcher, then that's an example of a company that doesn't know what it is doing, said Rohit Dhamankar, manager of security research at TippingPoint, a seller of intrusion prevention products.
"There are sophisticated vendors like Mozilla and Microsoft, and there are vendors who have no clue about good process," Dhamankar said. TippingPoint, which also pays security researchers for bugs, was threatened with a lawsuit recently by a web portal software maker, he said.
To gain a competitive advantage over rivals, companies such as Immunity and TippingPoint pay bug hunters for flaws. By purchasing bug information, their products can detect problems before any other product can and before an official patch is available.
Ultimately, flaws don't get fixed without public disclosure, Wysopal said. "The responsible thing is to send it to the vendor, but then you get stuck with the vendor not doing anything about it if there isn't the threat that it will be publicly disclosed," he said. "Public disclosure is the only way to actually get things fixed."
Mozilla's Snyder said 30 days is a good timeframe to give a software maker to come up with a fix and called on bug hunters to follow responsible disclosure guidelines.
"I appreciate the work that's going on and I appreciate a little heads up before the whole world finds out [about a security vulnerability]... I would appreciate 30 days, but I will take what I can get."
