Author: David Barroso
The eternal discussion between full-disclosure vs responsible-disclosure has a relatively brand-new area: the critical infrastructure protection (CIP). It is quite common, that from time to time it is discussed the best way of reporting a vulnerability to a manufacturer. A procedure that can satisfy both sides(the one who finds the vulnerability and the manufacturer) has not been institutionalized yet . There is all kind of choices; none of them is more successful though: acknowledging the researcher’s help (i.e. Microsoft), paying a certain amount of money (Google), or simply, using some company which works as a broker in order to pay the vulnerabilities (i.e. (iDefense VCP or Tippingpoint ZDI). But the truth is that these methods don’t work; the better example happened last year when vulnerability was discovered by Tavis Ormandy in Windows. This case proves the needs of having some type of procedure which pleases all sides.
Unfortunately, nowadays some manufacturers don’t think security is essential to avoid risk to their users ( ZDI’s list about unpatched vulnerabilities is quite illustrative). On the other hand, some researchers also think that manufacturers have to fulfill their requirements immediately, even involving extortions to manufacturers. Although there have always been some attempts of proceduralising the vulnerability’s reporting (from the well-known RFP’s procedure),ranging from an IETF’S attempt , Responsible Vulnerability Disclosure Process which ended up becoming the Organization for Internet Safety procedure base, to No More Free Bugs initiative promoted by several researchers. If we deal with critical infrastructure protection, recently we witness what happened some years ago, after trying to do things right, realizing that it doesn’t work often, we come across different positions like Digital Bond’s, whose vulnerability reporting policy is as simple as: we’ll do what we like; because they have had enough seeing how manufacturers , after incidents such as Stuxnet or the vulnerabilities found by Dillon Beresford, don’t seem to react , not even when ICS-CERT is involved ( the manufacturer can even report you).
By the end of the day what really matters is how each manufacturer is concerned about handling and coordinating these incidents (communication with researchers and companies), because, if we’ve finally realized that none of the global vulnerability reporting policies works, it is the manufacturer’s task to fix its own policy ,what’s more pleasing both sides. For instance, Mozilla, Barracuda, Google, FaceBook or Twitter have already done it. And not all of them pay for vulnerability found, but some of them simply acknowledge the help of it.
In short, prevention is better than cure, and all large firms must be running a clear and published policy about the vulnerabilities that third parties find over their products, services or simply, over their webs, and they must recognize as well the work of people that collaborate positively in enhancing the network security.