Disclosure: vulnerability pimps? or super heroes?

[coley at linus.mitre.org (Steven M. Christey)]

On Tue, 6 Mar 2007, Kenneth Van Wyk wrote:

> While a simple strcpy-->strncpy (or similar) src edit takes just
> moments, and shouldn't impact the functionality and reliability of any
> software, patches are rarely that simple.

Agreed, but this needs to change.  The threat environment has provably
worsened, so that it can be incredibly damaging to an organization if they
rely on software that takes months to fix.  From my outsider
(non-developer's) point of view, the development lifecycle needs to be
able to handle emergency situations.  The so-called "pimps" are
unintentionally highlighting this problem; what happens when 0-days become
more the norm and the time-to-patch hasn't changed?

> consumer advocacy.  But, I'm convinced that we need to find a process
> that better balances the needs of the consumer against the secure
> software engineering needs.

This assumes that there is widespread interest in helping the consumer,
which some researchers simply do not have, and certainly not the genuinely
malicious parties.  Not that I've given up on "responsible disclosure" but
there will be a community of people who won't follow any recommendations
that are put out, and hobbyists/independent researchers are also left out.

In some ways, I view the current state of affairs as a symptom - when
software gets strong enough that someone has to spend a lot of
time/resources to find a vulnerability and code an exploit, people won't
be so willing to just toss it out to the public willy-nilly.  It's just
too easy to "grep and gripe" for vulns in typical software.  Last year, a
14 year old researcher gave us vuln DB's a headache by finding about 500
vulnerabilities in the course of a few months, using blatantly obvious
10-minute tests on demo versions of software that went for $100 to $500 a
pop.  That was one of the biggest unreported news stories of the year, as
far as I'm concerned.  Such blatantly insecure software should not be that
widespread.  He's not disclosing to the public anymore, just to his own
private group, and I don't think I prefer it that way.  Interestingly, he
was only interested in the "challenge," not the fame.

- Steve