LAS VEGAS -- Black Hat USA -- Finding bugs is fun. Fixing them, not so much. The tricky part is maintaining a balance between the bugs you've found and the bugs you've fixed, panelists said in a session here yesterday.
"Fixing security bugs isn't sexy," said Window Snyder, a top exec at Mozilla, during the "Ethics Challenge" panel at Black Hat. "As you get better at finding bugs, your fix rate needs to get better, too."
It's difficult to find the senior security experts who have the necessary skills to detect and fix bugs in software, Snyder observed. Panelist Ian Robertson, CSO for RIM, said his organization has similar problems. "We have an open headcount, too."
The panelists, which also included representatives from Cisco and Microsoft as well as researchers, also aired their views on how the two worlds should work together.
David Goldsmith, president of Matasano Security, says his firm believes in working with vendors throughout the vulnerability research process -- and following responsible disclosure practices. "We try not to be sued," he says. Matasano has worked with difficult vendors, but the company still believes vulnerabilities should be reported to the vendor first, rather than independently or publicly.
Snyder says vendors should respond politely and with respect when a researcher reports a bug in their software. "We don't give up, and don't cut off communication," she says. Mozilla doesn't pay bugfinders for bugs, but instead offers a $500 reward for a critical, remotely exploitable vulnerability that's found in its software. "We see it as a 'thank you' to individuals who help keep our users secure."
Robertson says the key is to create a positive and trusted relationship with researchers and avoid confrontation. "At the end of the day, it's in both parties' interests to be cooperating," he says. "If they come to you with a vulnerability, you have to assume they want to fix it, too... Keeping the dialog alive is incredibly important."
Researchers resort to full disclosure when they get frustrated that the vendor is ignoring them or not communicating well with them, Mozilla's Snyder said. Mozilla lets bugfinders in on the patching process. "They can see all the engineering comments on it [the bug]."
Robert Graham, CEO of research firm Errata Security, says it's not worth the "drudgery" of proving a bug's severity, if the vendor doesn't treat his firm with respect. "I don't want to go through all of that if the vendor treats me like crap," he says. "We get paid more as consultants" than as bugfinders.
Kelly Jackson Higgins, Senior Editor, Dark Reading