Re: The Invisible Hand of 'Responsible Disclosure'

["Michael Sutton" <msutton () spidynamics com>]

> > http://portal.spidynamics.com/blogs/msutton/archive/2006/09/06/The-
> Invisible-Hand-of-_2700_Responsible-Disclosure_2700_.aspx
>
> Your "invisible hand of responsible disclosure" might work on an
> individual
> bug found by an individual in an individual piece of software. But it
> does not really address certain protocol common vulnerabilities, or
open
> source software being re-used and rebranded all over. 
>
> Paul

You bring up an interesting point. During my time at iDefense, vendor
communication on open source projects posed perhaps the greatest
challenge. Not because project maintainers were unresponsive, quite the
opposite, they would often fix issues in a matter of days as opposed to
the months required by their commercial counterparts.

The challenge lay in informing those third parties, sometimes also open
source, sometimes commercial, that were utilizing the vulnerable
library/plugin/etc. There were two challenges here. First, how do you
identify all affected third parties? Second, how do you communicate with
them without essentially making the information public? In the first
case, we relied on the affected project maintainer to inform affected
third parties, not because it was the best system but because we felt
that the maintainer was in the best position to know who was using his
project (although I doubt that in most cases the maintainer knows for
sure either). This also eliminated the problem of finding a secure means
of communication as that became the maintainer's problem. Linux vendors
have attempted to address this issue with the vendor sec mailing list
but it is now plagued with holes so a post to the list isn't much better
than going public. In my opinion, it is necessary for major projects
(OpenSSL, BIND, etc.) that know they're content is used elsewhere to
establish a secure communication medium with restricted membership for
this very reason. That a tall order for a project with only volunteer
labor but, it's an important challenge.

Michael Sutton
Security Evangelist
SPI Dynamics
http://portal.spidynamics.com/blogs/msutton
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave