Sunday, September 16, 2007

The Future of Vulnerability Disclosure

If you're not already talking about this issue, this is your wake-up call. Going back 15 years or more the debate, if you can call it that, around disclosure has been the issue of when and how much to disclose. The two extremes were CERT who wouldn't disclose until the vendor released a patch, and the early days of the full-disclosure mailing list where people simply posted proof-of-concept exploits without bothering with the vendor.

But this year I've heard more about disclosure than I have in almost a decade. And for those of us in security operations, it's not good news. The monetization of the Internet is having an impact on vulnerability research and consequently the issue of disclosure. This has lead to a number of developments all focusing around the issue of whether or not vulnerability researchers should be paid and by whom. In the past, the model was responsible disclosure and if you worked independent of the vendor, you could release your advisory in conjunction with their patch. Researchers got credit and hoped that it would draw in business.

Of course, the pool's a lot more crowded for researchers these days. And where a researcher could've drawn a nice salary at a security consultancy like ISS or @stake and still gotten on-the-clock time to research bugs, they've been consolidated and exist under the profit-driven umbrella of a publicly-traded company. This means a lot of new as well as a good number of "old" (which makes them roughly my age) vulnerability researchers now have to pay their own way. Combine this with positions taken by large vendors like Microsoft and Cisco that they will not pay third-party researchers, and this means lots of smart people - make that smart people that hack stuff - are out there trying to find a way to get paid for their work.

So now, researchers are selling to companies like 3Com/TippingPoint but it's safe to say that at least a few of them are selling to malware kitmakers on the black market. There have also been a couple of attempts at agnostic auction houses that let researchers sell to the highest bidder, whoever that is. This means that at some point in the future, the next big vulnerability could go not just first, but exclusively to organized crime. If that doesn't scare you, it should.

But what should scare you more is that the biggest stakeholders - the infosec ops folks on the front lines, the IT orgs they work for, and software customers everywhere - literally don't have a seat at the table on this one. Black Hat and Defcon both had roundtable discussions on disclosure, and you heard a lot from researchers, lawyers, software vendors, and infosec product vendors. But so far as I can tell, the people that will be impacted most haven't been asked for their opinion. I wish I had a good idea for how to get us heard on this issue. But I don't. So I guess all I have for you is something more to worry about. Sorry.

No comments: