Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/3/2007
02:18 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Bugfinders, Vendors Talk Ethics

Black Hat panelists chat about the challenges of the researcher-vendor relationship

LAS VEGAS -- Black Hat USA -- Finding bugs is fun. Fixing them, not so much. The tricky part is maintaining a balance between the bugs you've found and the bugs you've fixed, panelists said in a session here yesterday.

"Fixing security bugs isn't sexy," said Window Snyder, a top exec at Mozilla, during the "Ethics Challenge" panel at Black Hat. "As you get better at finding bugs, your fix rate needs to get better, too."

It's difficult to find the senior security experts who have the necessary skills to detect and fix bugs in software, Snyder observed. Panelist Ian Robertson, CSO for RIM, said his organization has similar problems. "We have an open headcount, too."

The panelists, which also included representatives from Cisco and Microsoft as well as researchers, also aired their views on how the two worlds should work together.

David Goldsmith, president of Matasano Security, says his firm believes in working with vendors throughout the vulnerability research process -- and following responsible disclosure practices. "We try not to be sued," he says. Matasano has worked with difficult vendors, but the company still believes vulnerabilities should be reported to the vendor first, rather than independently or publicly.

Snyder says vendors should respond politely and with respect when a researcher reports a bug in their software. "We don't give up, and don't cut off communication," she says. Mozilla doesn't pay bugfinders for bugs, but instead offers a $500 reward for a critical, remotely exploitable vulnerability that's found in its software. "We see it as a 'thank you' to individuals who help keep our users secure."

Robertson says the key is to create a positive and trusted relationship with researchers and avoid confrontation. "At the end of the day, it's in both parties' interests to be cooperating," he says. "If they come to you with a vulnerability, you have to assume they want to fix it, too... Keeping the dialog alive is incredibly important."

Researchers resort to full disclosure when they get frustrated that the vendor is ignoring them or not communicating well with them, Mozilla's Snyder said. Mozilla lets bugfinders in on the patching process. "They can see all the engineering comments on it [the bug]."

Robert Graham, CEO of research firm Errata Security, says it's not worth the "drudgery" of proving a bug's severity, if the vendor doesn't treat his firm with respect. "I don't want to go through all of that if the vendor treats me like crap," he says. "We get paid more as consultants" than as bugfinders.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Errata Security
  • Matasano Security LLC
  • Microsoft Corp. (Nasdaq: MSFT)
  • Mozilla
  • Research In Motion Ltd. (RIM) (Nasdaq: RIMM; Toronto: RIM) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Commentary
    What the FedEx Logo Taught Me About Cybersecurity
    Matt Shea, Head of Federal @ MixMode,  6/4/2021
    Edge-DRsplash-10-edge-articles
    A View From Inside a Deception
    Sara Peters, Senior Editor at Dark Reading,  6/2/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-34682
    PUBLISHED: 2021-06-12
    Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
    CVE-2021-31811
    PUBLISHED: 2021-06-12
    In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
    CVE-2021-31812
    PUBLISHED: 2021-06-12
    In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
    CVE-2021-32552
    PUBLISHED: 2021-06-12
    It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
    CVE-2021-32553
    PUBLISHED: 2021-06-12
    It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.