Tuesday, June 15, 2010

Was Tavis Ormandy's Disclosure Irresponsible?

Regarding Tavis Ormandy's recent disclosure of a vulnerability in Windows Help and Support Center, my understanding is that there are five basic paths to take when you have a valid vulnerability to disclose. They are enumerated below. In short, I think Tavis Ormandy went down the RFPv2 path, and thus was within his rights to disclose when he did assuming that Microsoft didn't in fact reply to him within the 5 days allowed.

As a corporate defender, I would prefer that researchers not take such an aggressive stance with disclosure, but my point is that what he did might have long-standing precedent.

1). CERT/CC - Public disclosure happens within 45 days of the vulnerability being reported to CERT/CC. CERT/CC notifies the vendor per their own process.

2). Full Disclosure Policy (Rain Forest Puppy policy version 2 - RFPv2) - Reporter of problem contacts the software vendor directly. The vendor is allowed 5 days to reply. If the vendor does reply within the 5 day time window, then a disclosure schedule should be agreed upon by both parties. After that, the vendor should provide updates every 5 days. The wording of the disclosure should be agreed upon by both parties. if the vendor does not reply back with 5 days of the initial contact, the reporter of the problem is free to disclose.

3). OIS (Organization for Internet Safety) - Finder submits a VSR (Vulnerability Summary Report). Vendor can choose to do a partial public disclosure at this point if they wish. The vendor must respond directly to the finder within 7 days. If the vendor doesn't respond in 7 days, then the finder must submit again, and the vendor gets another 3 days to reply. if the finder doesn't get a reply after this final 3 days, the finder is OK to publicly disclose.

4). Go through a vulnerability broker like Verisign iDefense VCP or TippingPoint ZDI and follow whatever policy that broker uses.

5). Sell directly to a private buyer. Many governments - including the U.S - purchase vulnerabilities for their own purposes.

Having served as an intermediary before, I can tell you that this process sometimes isn't a walk in the park. I am not saying anyone is right or wrong, but I am saying that what he did isn't new and maybe he is being singled out unfairly in the media.

UPDATE 13 July 2010 - Microsoft has released a fix for this vulnerability in July 2010 patch MS10-042.

UPDATED 13 July 2010 http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

No comments:

Post a Comment