Martin McKeay

Responsible Disclosure? - Paypal vulnerable for two years

By Martin McKeay
July 20, 2006 11:52 AM EDT
In any argument there are going to be extremes that support either opinion.  Paypal has done me a favor in giving me a great example of where responsible disclosure didn't workChris Marlow tried to notify Paypal in June of 2004 of a Cross Site Scripting (XSS) vulnerability that could be used as part of a phishing attack against Paypal users.  Apparently Paypal's own internal processes prevented Chris from being able to contact anyone at the company who could actually understand the seriousness of the situation.  Fast forward to last month, when Netcraft reported on the same vulnerability.  Paypal's response was appropriate, but only because Netcraft is a well-known name in the Internet community.

Earlier this week I posted advocating 'immediate disclosure' rather than responsible disclosure.  However, even I think immediate disclosure might not be the answer; it's just better than the current solution.  The problem with our responsible disclosure, as it stands, is that it's up to the vendor to decide what's reasonable and responsible, not the discoverer of the vulnerability or a third party.  There isn't even an agreed upon standard of what is a reasonable length of time to wait between notifying the vendor and releasing the vulnerability to the public.  Rumor has it that many of the IE exploits HD Moore is releasing were reported to Microsoft over six months ago.  And Microsoft is a company that has clearly defined methods of reporting vulnerabilities. 

Responsible disclosure has been tried, and while it's not a total failure, it's not a total success either.  Vendors are sitting on vulnerabilities for much longer than can reasonably be called 'responsible'.  If they want responsible disclosure, it can't just mean that security researchers act in a responsible way. It means that the vendors have to act responsibly too.  Many vendors are, but there are also a large number that aren't, and then claiming researchers are abusing the system when they disclose. 

We need to come up with a system that clearly defines how a vendor gets notified and what is a reasonable time frame to wait between notification and disclosure.  I don't like the idea of a central database run by US-CERT or some other central, government run organization.  The IEEE has tried multiple times to define responsible disclosure guidelines without luck, but it may be time for them to address the problem again.  Of course, even if we do come up with a solution that satisfies vendors and researchers, it's only going to affect the people who play by the rules.  The crackers are still going to share vulnerabilities in the backrooms of the Internet long before we hear about them.