It seems to happen every 6 months or so: Technology companies get mad at security researchers and the terms that get thrown around a lot are ‘responsible disclosure’. We just so happen to be in another one of those situations where more than one incident has occurred recently. Last week, a Google employed researcher went public with information regarding a vulnerability he had discovered in Windows XP and Server 2003. Also last week, a security research organization released details of a flaw with AT&T’s website that allowed access to the e-mail addresses of Apple iPad users. With high profile cases, the more main-stream media will pick up on it and so right on cue, the Wall Street journal has an article, Computer Experts Face Backlash, that rehashes the topic in relevance to the recent issues.
‘Responsible disclosure’ in terms of computer security research entails a researcher going directly to a company with the flaw or vulnerability that she has found. The company should then address the issue in a timely manner such as with a patch and then the researcher can publicize the problem they had found with a solution to recommend.
However, a researcher might think that a particular vulnerability that they have found is highly critical and they get impatient waiting for the company to fix the problem. If the company thinks the problem isn’t as critical, it might back-burner the fix. The researcher then might choose to go public with the information to “encourage” the company to release a patch sooner rather than later. With the compensation for some vulnerability reports, this can also seem like extortion. Since many security researchers and companies are trying to make their name in the industry, they want to go public with their find to get their name out there.
The problem lies with the “timely manner” part of the definition above. Some researchers might think that a week is plenty of time to address the problem. Some companies might need a month to develop, test, and release a patch. When a researcher goes public with the information before a patch is available, it is considered a break of responsible disclosure. Many times, the information released to prove that a vulnerability exists is also enough information for malicious people to create the exact thing the researcher and technology company would have preferred to avoid. People are often put at risk when there is a break of responsible disclosure.
Last week’s cases involved:
- A Google-employed security researcher went public with information about a vulnerability that he had disclosed to Microsoft just 4 days before. (Microsoft Security Advisory)
- Goatse Security group discovered a flaw in AT&T’s website that was not directly disclosed to AT&T but instead went through the grapevine that allowed iPad owner’s e-mail address to be revealed.
The results:
- Microsoft vulnerability being exploited in the wild.
- The iPad-related flaw may reveal more information than just the e-mail address of subscribers.
- FBI investigates the AT&T breach.
For further reading on the topic: Threatpost on Full Disclosure and The Wall Street Journal article on the backlash for Computer Security researchers.