Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Kenneth F. Belva

Why I no longer report website vulnerabilities that I stumble upon…

I wrote this in July 2007 but decided against publishing it at the time. In July, I felt that I did not have a significant, publicly known case to help make the argument legitimized. The Dan Egerstad case prompted me to change my opinion.
—-

There was a time that if I found a vulnerability — and a web app vulnerability in particular — I would notify the application owner. Jeremiah reminds us that those on the receiving end do not always reply appropriately.

In one recent case, I found a web app vulnerability that one year later was the root cause of a minor incident with large public exposure.

One may argue that I did not behave ethically and put others at risk for not reporting what I stumbled upon. In fact, there is a clear provision for this reporting of discovered vulnerabilities in the CISSP code of ethics.

Truthfully, when one considers how vulnerabilities are discovered, they are rarely done so as a passive participant. In most cases the researcher asks, “Why does the app behave in a particular way? And, if I were to do such-and-such an action, what might happen?” To answer these questions requires an active participant! Hence: Vulnerability discovery usually requires the researcher to be an active participant in the discovery process in order to test whether or not a vulnerability is present and is exploitable.

So, I counter that the risk to me, personally, in our current security environment, is too great for me to take the risk of reporting it. If a corporation questions my motives and how I came to know about the vulnerability, it would most likely paint me as a more active participant than I prefer.

The original reason I formed a corporation in 2001 was for protection against large corporations (such as Microsoft) that may seek damages (against little old me) with regard to my security and vulnerability research.

Over the last two years or so we’ve seen that the effects of InfoSec breaches are not as drastic as most want to claim. Hence the argument that I am putting more people at risk by not reporting the vulnerability does not have as much weight. In the current environment I prefer to let others take the reporting risk.

(I should also add: I do not have an issue reporting vulnerabilities in open source software as I believe these projects are more receptive to this information and there is much less risk to me as an individual.)

5 Comments

  1. Some softie Nov 19, 2007 at 9:46 am | Permalink

    Aww, couldn’t you at least use an example company like Cisco or Apple that sabre-rattles? Even at its worst, MS never sued Georgi or anyone else over security issues reported. Releasing worms is a different matter, and, I suspect, covered by the CISSP ethical code.

  2. Kenneth F. Belva Nov 19, 2007 at 10:05 am | Permalink

    Well, software companies with known vulnerability reporting procedures — such as Microsoft — are a different story.

    It’s really smaller non-software companies that I would have an issue with: reporting issues to banks, manufacturing companies, *** film festivals ***, etc. Dan’s case is a perfect example of this and you can read into my comments what you will…

    There are a plethora of web app vulnerabilities that exist. It’s just no longer my place to report them if I’m outside the SDLC/auditing process of the company…

  3. Andy Steingruebl Nov 19, 2007 at 2:51 pm | Permalink

    Some companies have anticipated this problem and have crafted vulnerability disclosure policies that tell researchers they don’t have to worry about legal issues arising from telling a company about a vulnerability.

    PayPal
    https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/ReportingSecurityIssues-outside

    To encourage responsible disclosure, we commit that – if we conclude that a disclosure respects and meets all the guidelines outlined below – we will not bring a private action or refer a matter for public inquiry.

    Microsoft:
    http://www.microsoft.com/technet/security/acknowledge/faq.mspx

    Q. Will Microsoft take legal action against those who submit online services security vulnerabilities?
    A.

    Microsoft will not pursue legal action against security researchers that responsibly submit potential online services security vulnerabilities.

  4. Doug Woodall Nov 20, 2007 at 2:21 pm | Permalink

    Right is Right. If its a hazard to users, it should be reported.
    Keep on doing as you see fit. Its appreciated.

  5. dara Nov 20, 2007 at 3:29 pm | Permalink

    For the average Joe Soap, after one reports an issue with a website to the service provider, does one report it generally thereafter if there is no action or even response on behalf of the provider to rectify the matter ?

    I have found this post in a search for such a site.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*