Most Irreal readers are familiar with the concept of responsible disclosure: the idea that if you discover an exploitable flaw in a site or piece of software, you should contact and inform the folks responsible for the site or software before publishing your findings. That gives the developer or admin a chance to fix the problem before tipping off the bad guys. This week, there were two interesting articles posted about responsible disclosure.
The first was by Troy Hunt. Hunt is a security expert whose work we’ve discussed many times on Irreal. He illustrates the challenges of responsible disclosure with two stories. In the first, he publishes a story about a fairly innocuous vulnerability concerning a mall’s car location service. The story was picked up by the local press and the mall management immediately suspended the service and contacted Hunt asking for advice on how to resolve the problem. Result: a potential problem is resolved quickly and efficiently even though Hunt didn’t give official notification.
Hunt’s second story involves a serious problem (user names and passwords publicly exposed) with a Black & Decker web site. Hunt does everything according to protocol. He attempts to notify B&D but is unable to get any response. He tries contacting B&D in the U.S. (Hunt is an Australian) and still can’t find anyone to talk to him. Finally, a Microsoft contact, who has a relationship with B&D, gives him a contact. The story just goes on and on. Four and a half days later the problem is finally fixed. The story illustrates how resistant some corporations can be to acknowledging and fixing vulnerabilities.
The second post is from the Google Blog. In it Google announces its new policy concerning responsible disclosure. The salient feature is that they will support researchers disclosing critical vulnerabilities seven days after notifying those responsible if no patch or advisory is issued. They hold themselves to the same standard so we know they’re serious.
Google’s policy may seem harsh but all they ask is that vendors acknowledge problems and issue an advisory expeditiously. In an age where many vendors prefer to ignore problems, this seems reasonable to me. What do you think?