[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <v2je63164661004282006j4d442e8atf7c86a9f77886380@mail.gmail.com>
Date: Wed, 28 Apr 2010 23:06:42 -0400
From: Rob Fuller <jd.mubix@...il.com>
To: "ML: full-disclosure" <full-disclosure@...ts.grok.org.uk>,
"ML: NoVA Hackers" <novahackers@...glegroups.com>
Subject: Vuln Disclosure summarized (TTBOMA)
I have an admittedly limited view of the exploit dev world. However,
from what I've seen devs have very few options: (Please correct me if
I'm wrong)
"Responsible Disclosure" =>
- Direct Contact => depending on the size of the vendor and their view
on security, this could result in anything from a simple thanks, a
reward, to a court hearing.
- Exploit Broker => possibly sell, possibly not, depends on the
broker. The vuln could die on the table or stolen due to too much
information being given during negotiations. This route has the same
financial risk as direct contact, but a lot less risk of getting sued.
- ZDI (or other vuln clearing house) => "instant" cash, but admittedly
less than an Exploit Broker could possible get based on the financial
risk to ZDI. Close to zero risk of court time (they may come after you
for selling the exploit). And a lot less financial risk since (IIRC)
they pay up front. But then the vulns go to also undisclosed parties,
potentially the highest bidder which is probably not the vendor.
- "other" secretive groups who share vulns for different reasons...
- Just to friends => No cash, no judicial risk, but you do risk them
stealing/selling your exploit.
"Full Disclosure"
- Posting it to the web for all to see/user => Possible court time,
but the definite upside is the vendor is forced to react. A very quick
way to make enemies.
- Releasing at a conference => Probable court time.
"No Disclosure"
- Keeping it to yourself => Working under the assumption that your the
only one that has found that same bug is still semi relevant due to
the incredibly small size of the exploit dev community. However, as
Dave said, they'll be toasting to their sleeping dead 0days some day.
"No More Free Bugs"
- My stance on this is split, while I think people should get paid for
their work, I relate this movement to mowing someone's lawn and then
ringing their doorbell and asking for money. However I'm sure Robert
Graham's punch in the face metaphor also works.
//
Like, I have stated above, I am far and away a newbie to the vuln
disclosure world and this debate has been going on since before I
owned my own computer, but with the brilliant minds working at it, why
doesn't anyone offer up a solid solution to it?
My solution? Create a standard, something that we all abide by. I know
as hackers we rebel against such things but in the interest of getting
better security out there (yes, that's what we are here for right?....
right?) we should should really work together on this. What sounds
right?
I mean, what is the right way to approach someone who's lawn you've
mowed for the work you have done? Maybe free for open source projects,
and a price based on exploitability and market share of the affected
product?
For reference:
Vuln Trading Markets and You by Michal Zalewski (lcamtuf):
=> http://lcamtuf.blogspot.com/2010/04/vulnerability-trading-markets-and-you.html
Vuln Disclosure is Rude by Robert Graham:
=> http://erratasec.blogspot.com/2010/04/vuln-disclosure-is-rude.html
No More Free Bugs movement by Charlie Miller, Alex Sotirov and Dino Dai Zovi:
=> http://trailofbits.com/2009/03/22/no-more-free-bugs/
Dailydave Post by Dave Aitel:
=> http://lists.immunitysec.com/pipermail/dailydave/2010-April/006100.html
--
Rob Fuller | Mubix
Room362.com | Hak5.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists