Microsoft to banish 'responsible' from disclosure debate
Microsoft has submitted a proposal aimed at quelling one of the oldest debates in security circles: retiring the use of the term “responsible disclosure”.
The software maker wants to replace the term with the less pejorative phrase “coordinated vulnerability disclosure.” The hope is that software makers and researchers can put aside decade-old differences about the best way to handle critical defects so that end users are best protected.
“We don't want an emotionally laden term clouding the debate, and that's definitely gotten in the way of a lot of good discussions between like-minded people in security,” said Katie Moussouris, senior security strategist in the Microsoft Security Response Center. “We're really trying to reach out across the disclosure dividing lines and find the common ground where we all are. We all want to protect customers and users.”
The modest proposal comes a month after the public disclosure of an unpatched vulnerability took the debate to new highs. On June 9, Researcher Tavis Ormandy dropped detailed information about a critical bug in older versions of Windows that allowed attackers to take full control of a PC by luring its user to a booby-trapped website. Ormandy said he had notified Microsoft of the vulnerability just five days earlier, on a Saturday, and decided to take his advisory public when Microsoft didn't commit to fixing the flaw within two months.
Moussouris told The Register the company was unable to give Ormandy a timeline until it had finished investigating the bug, which resides in the Help Center of Windows XP and Server 2003 and was fixed earlier this month. Ormandy didn't respond to a request to comment by time of publication. Within days of the disclosure, reports began circulating that the previously undocumented flaw was being exploited by attackers.
Some people in security circles, including those at Microsoft, responded by noting that Ormandy worked for Google, and criticized him for releasing the details before Microsoft had a chance to fix the vulnerability, as the tenets of responsible disclosure hold.
On Tuesday, this Google blog post, which was co-written by Ormandy, criticized the term.
“The important implication of referring to this process as 'responsible' is that researchers who do not comply are seen as behaving improperly,” the post stated. “However, the inverse situation is often true: it can be irresponsible to permit a flaw to remain live for such an extended period of time.”
In Ormandy's post on the Full-disclosure forum — which he said represented his private opinion — he went further.
“This is another example of the problems with bug secrecy (or in PR speak, 'responsible disclosure'),” he wrote. “Those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers that we need, especially in complex cases like this, where creative thinking and input from experts in multiple disciplines is required to join the dots.”
Moussouris said the move to retire the term started long before the most recent firestorm ignited and noted that an International Standards Organization committee in April unanimously voted to drop the word “responsible” from its discussion on vulnerability reporting. Indeed, Steve Christey, who helped release the 'Responsible Disclosure' draft for the Internet Engineering Task Force in 2002, said the term has outlived its usefulness.
“I fully support an active push for more objective terminology within the industry,” he told El Reg. “This may help keep the long-running debate more focused on results instead of name-calling.”
In essence, coordinated vulnerability disclosure would work much like responsible disclosure: Researchers would be encouraged to report security bugs to the responsible software maker or other trusted organization and agree to keep all details private until a mutually agreed-upon time. But in the event the two sides don't see eye to eye, they would continue talking. In the event the finder decides to make the vulnerability public, he would communicate those plans to the software maker ahead of time.
“Even if you don't share disclosure philosophies with us — for example, if you're a proponent of full disclosure — we still want to talk to you,” Moussouris said. “Even if you believe in full disclosure, it is definitely worth it to come to us and let us know. Anything that helps us get a head start against attackers is what we want.”
I think that sound is coming from the other direction...
It's always easy to pick out the idiots that have never had to write anything more complex than a "Hello World!" program. They think that all programs are easy to write, easy to read, easy to change, easy to debug, etc. etc.
Real programs are complicated. Ormandy obviously doesn't have a clue about software. Of course the developer can't give you a timeframe for a fix until they understand what's wrong with the code. That's like asking your mechanic for a cost estimate on your car after telling him that there's a grinding noise coming from the front left side of your engine. The mechanic/coder has to find the actual problem before it can be fixed. Not just a set of symptoms, no matter how detailed. Also, the complexity of fixing a bug--and thus the amount of time it will take to fix--are not dependant on how easy the bug is to exploit. And do remember that there are a limited number of people available to fix these bugs and they do have more bugs to fix than just yours. I'm sure most companies would be happy to fix the security issues in their products as fast as possible, but that just doesn't mean that it's going to get done immediately.
While, yes, some companies do slack off on fixing bugs as soon as reasonably possible; most of the full disclosure advocates you hear about just seem to be interested in selfaggrandizement and bashing the company whose software he just found a bug in.
Good for them
"So we want to replace an emotionally ladened phrase that we understand with a dry, technical phrase that we don't understand. That will help protect the customers!"
*shrug* "responsible" disclosure doesn't protect customers no matter what it's called, since companies then just sit on some flaws for years, while blackhats exploit them freely.
Anyway, good for them. Coordinated vulnerability disclosure is dry but at least accurate.. whereas "responsible disclosure" causes so many debates between people like me that say letting everyone know about flaws ASAP is good, the blackhats probably already know, and therefore letting a company sit on the flaw for potentially months or years is *irresponsible*. And them, who say they should take as long as they want to fix a flaw so it's irresponsible to tell anyone until that point. (Personally, I would not disclose immediately, but if there's no substantial response in a week or two, well, someone like the full disclosure mailing list has to know... and to add to this, MIcrosoft in particular is irresponsible for only releasing patches once a month instead of as soon as the patches are ready.)
Microsoft to banish 'responsible' from disclosure debate
"We all want to protect customers and users"
Well why not start by designing secure software in the first place? From the "brain" virus, through Wordbasic macro viruses to the latest USB vulnerability, Microsoft have ALWAYS put "speed to market" first and security last. This latest step in the Redmond game is more "blame the messenger" posturing, and as such clearly does not represent any change from the sloppy security practices of old.
How many more messengers will get the blame before the world wakes up and stops buying inferior products at elevated prices from the Gates/Ballmer crowd?