Comments on: Responsible Disclosure and Months of Bugs

By: Iang

Iang — Tue, 06 Mar 2007 06:33:42 +0000

It’s hard to get excited about exploit code when we can provide a billion dollars worth of fraud, and still the vendors won’t respond.
Look at the record: Firefox people have only in the last month or so taken the first definitive, measurable step towards an active posture against phishing, by employing someone with that aim. (And still, Firefox 3 is the planned event…)
Microsoft are just as bad. Even though they woke up earlier to the security failure of the browser … with a little prodding in the form of Bill Gates’ famous memo … their people went straight into a huddle and created a “better than before” green bar … or a track-all-your-URLs database. This puts them further back than Mozilla, as they’ll have to unwind the marketing features to get back to where Firefox is (which hasn’t left the starting gate).
The problem can be characterised as security bug people talking security bugs, and vendors talking public exposure and marketing opportunities. It’s not a debate about security, and won’t be until both sides are willing to talk about security. To be fair, the security bug people are talking about vulnerabilities, not security; even if one side starts talking about security, they’ll quickly realise they are talking to themselves.

By: Michael

Michael — Mon, 05 Mar 2007 23:28:52 +0000

I stand corrected. I shot a quick post but hadn’t taken the time to do my research. Based on question #6 alone I agree with Arthur that MOPB isn’t being responsible in their disclosure techniques:

#6 Why do you provide exploit code, isn’t that irresponsible?
Exploit code is provided because on the one hand some people do not believe that a vulnerability is exploitable (maybe because their attempts failed) and on the other hand the lack of exploit code that tests for a certain vulnerability is the major reason why PHP vulnerabilities are sometimes not correctly fixed or why the same bugs are later reintroduced.

That exploit code should certainly be provided to the PHP developers to prove to them the vulnerability exists and is exploitable. But POC code should not be distributed to the public until after the vendor has had a reasonable amount of time to address the vulnerability and has failed to do so and even then it should first be released to IPS/IDS and AV vendors before its released to the public.
I’m not as concerned as Arthur is about the vendor getting a heads-up on these as long as the disclosure is responsible (ergo no public POC code). But again, it looks like MOPB doesn’t adhere to that.
Its a shame…the idea is worth while but obviously not well executed in this case.
I didn’t follow the Month of Browser Bugs too terribly close but I got a sense that it was successful in that it drew a lot of attention to the problems in browsers, which of course is the main point of the whole MOXB idea and the whole reason I find them appealing.
There has to be a way to prod vendors into action without jeopardizing Joe User.

By: Ryan Russell

Ryan Russell — Mon, 05 Mar 2007 22:26:52 +0000

This PHP case appears to be special. He is maintaining a special fork of PHP where the bugs are all fixed, I believe.
Or do people not think he should be able to fix bugs in his own software? (At least in the “own” sense of maintaining a distribution. Otherwise you’re also faulting Theo for dropping NetBSD 0-day.)