Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:00 PM
Connect Directly
E-Mail vvv

Vulnerability Disclosure Deja Vu: Prosecute Crime Not Research

There is a lesson to be learned from a locksmith living 150 years ago: Attackers and criminals are the only parties who benefit when security researchers fear the consequences for reporting issues.

The recent example of a software vendor leveraging laws like the Digital Millennium Copyright Act (DMCA) to intimidate a security researcher is counterproductive. The researcher and team at the security consulting firm IOActive took a risk by attempting to report security flaws in a digital lock, and the company that makes the lock didn't exactly welcome the news.

While we don’t know all the details, according to multiple press reports, IOActive tried to contact the vendor privately before public disclosure, and that vendor responded through its lawyers, who mentioned the DMCA. As Chris Sogohian, staff technologist for the ACLU, tweeted about this incident, "Having a lawyer respond to security researchers is like asking your neighbor to turn down the music w/ a gun in your hand. It won't end well"

This phenomenon is sadly all too common when we look at the history of security research, and results in a chilling effect on security research. Attackers and criminals are the only parties who benefit when security researchers fear the consequences for reporting issues.

The year 1853 called. They want their disclosure debate back.

A locksmith living over 150 years ago named Alfred Charles Hobbs said it beautifully when discussing whether revealing lock-picking techniques publicly was acceptable: "Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery."

The irony that the modern lock manufacturers have not learned the lessons of their industrial-age forebears indicates that we haven't sufficiently shifted the norms of vendor behavior in over a century and a half or more.

Hackers gonna hack.
When vendors lack a process and ability to receive, investigate, remediate, and communicate about security vulnerabilities, often the first reaction is to call in the lawyers. However, software bugs are not usually fixed by lawyers, threats, or intimidation. They simply distract all parties from the only route that ensures our collective security.

Back when I founded Symantec Vulnerability Research, I made t-shirts for the team that said simply:

All software contains bugs. The maturity of a vendor's product security is measured in part by how it handles vulnerability reports. Those who are unable to gracefully deal with external parties who are trying to warn them of security holes are putting their users, and possibly the Internet as a whole, at risk.

Recently, I worked with MIT Sloan School of Management and Harvard Kennedy School on relevant research, sponsored  by Facebook, on system dynamics modeling of the 0day market. The result of the research concluded, among other things, that defenders should try to increase the rate of finding vulnerabilities through incentives for bugs. Responding to friendly hackers with legal intimidation runs counter to this research and all recommended best practices.

5 Stages of Vulnerability Response Grief: A Standard Approach
Denial. Anger. Bargaining. These are all emotional reactions to a technical problem. The cure? Acceptance. This short video offers a humorous look at this serious issue. Unfortunately this is still an ongoing phenomenon, and organizations will benefit from quickly understanding the pitfalls of these activities that don't ultimately work to improve their security posture.

As I write this from the 25-year anniversary meeting of the ISO SC27 working group in Malaysia, I am happy to report that we already have standard guidelines in the form of ISO 29147 Vulnerability disclosure and ISO 30111 Vulnerability handling processes. These are available to help organizations adopt a vulnerability handling, coordination, and public disclosure process. Will a set of standards end the disclosure debate once and for all? Not entirely, but it is an important first step.

Hackers can help prevent attacks if they can come forward without fear of prosecution. Encourage research, offer proper incentives, and have a safe and transparent way to receive potential security issue reports.

Prosecute crime, not research. The result is a safer Internet for everyone.

Katie Moussouris is the founder and CEO of Luta Security, a company offering unparalleled expertise to create robust vulnerability coordination programs. Luta Security specializes in governments and multi-party supply chain vulnerability coordination. Moussouris recently ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/19/2015 | 10:27:36 AM
Re: Defender's point of view
Imagine the PHP code that you write\wrote\sell or provide is being used all over the Internet for whatever reasons people use it for... now imagine it's weak and vulnerble and you missed it during your "code review".... now, wouldn't you want someone to point that out to you no matter how arrogant they were or would you rather some attorney for Company X contact you with a law suit?

Don't take it personal, it's a mistake that someone found, hopefully before it was exploited for ill.
User Rank: Apprentice
5/15/2015 | 3:22:42 PM
An example of a different approach
United Airlines is offering up to a million air miles to hackers who can find security bugs in its network. 

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
5/15/2015 | 8:18:31 AM
Re: Defender's point of view
@Thomas Claburn, love how you expanded on the metaphor of the lock picker at the front door. Perfect! 
Sara Peters
Sara Peters,
User Rank: Author
5/13/2015 | 12:50:14 PM
Re: Defender's point of view
@AnonymousMan  I see your points, but it's a bit more complicated than that when you're dealing with a public Website, because the safety of that site affects all the people who use it, not just the people who own the domain. And the trouble is that the way the laws are written right now, simply looking for a vulnerability in a website -- not disclosing it or testing it -- is technically a felony crime under U.S. and U.K. law, punishable by fines and even jail time.

Although it doesn't usually turn out that way, there have been cases when good samaritan security researchers have been convicted of cybercrimes under these laws -- like when Daniel Cuthbert got convicted in the UK for executing a single shellcode command after he thought he might have just given his credit card information to a phishing site.

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
5/13/2015 | 11:28:33 AM
Re: I Need that T-Shirt!
The T-shirt is defnitely cool, @ChristianBryant. But your point about the value of vulnerability research -- and the need for lawmakers to protect it -- is critical. Hopefully Katie's message will reach beyond the world of Dark Reading to TPTB in Washington. What we need is intellegient cyber crime legislation. Not a dragnet.
User Rank: Ninja
5/13/2015 | 5:16:58 AM
I Need that T-Shirt!
OK, so that was a terrible label for my comment (I've been too serious on some of these) but, really, awesome message on the T!

I spend hours a day reading sites like DR, Exploit-DB and PacketStorm.  The imagination that goes into vulnerability research can't be stressed enough.  Without these individuals, teams and organizations (most of whom are either anonymous or feel some security in their visibility and numbers), we would not only be less safe but also our software would be buggier and less enjoyable to use.

The law must catch up, must address cyber-crime intelligently and recognize the value of folks like vulnerability researchers and not simply see them as part of the problem.  Even for those on the "right" side of the law who do recognize this, they then need to fight for them, for they too often get swept up in the nets.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
5/12/2015 | 6:01:27 PM
Re: Defender's point of view
>Imagine that you come home one evening to find someone hunched over working on your front door lock with a set of picks. 

This metaphor doesn't quite capture the Internet since there's no real sense of physical location. It would be more accurate to imagine someone opening his or her front door to find the entire population of the Internet outside, with a subset of this group running automated door-hacking attacks.
User Rank: Moderator
5/12/2015 | 5:18:00 PM
Re: Defender's point of view
That is not just a different storyteller, it's a different story.  Not invalid mind you, but not the same situation. I wrote a PHP application and put it on the Internet.  Does anyone have the right to test it for vulnerabilities, as long as their heart is pure?  And my specific point...how does the defender discern intent from the packets.
User Rank: Strategist
5/12/2015 | 4:58:17 PM
Re: Defender's point of view
On the other hand:

You come home from the store, Your neighbor tells  you that he just found out that his front door can be opened by banging on the lock 3 times and since you have the same lock, maybe you should change it.

Do you:

1.  Thank him and go buy a new lock kit

2. Kick him in the soft parts since he was looking at your lock for specifics.


Many different ways of looking at it and it depends on who is telling the story.
User Rank: Moderator
5/12/2015 | 3:30:55 PM
Defender's point of view
Imagine that you come home one evening to find someone hunched over working on your front door lock with a set of picks.  Do you:

a) assume they are a security researcher, and politely ask them to let you know if they successfully pick the lock?

b) assume they are a criminal and swing a grocery bag full of avacados into their soft parts?

I generally agree with the idea of not prosecuting security researchers, there is no question IMHO that researchers are often egocentric ideologues who could care less about actual users. Some have a sense of entitlement that is simply dumbfounding....as if putting something on the Internet gives them free reign because, well, it's on the Internet and stuff.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
PUBLISHED: 2021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-18
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system.
PUBLISHED: 2021-06-18
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to redirection, which may allow an attacker to send a maliciously crafted URL that could result in redirecting a user to a malicious webpage.