Full Disclosure of the Vulnerability Report

Abstract

The demand for better software products and secure internet from efficacious internet users has created an environment where vulnerability disclosure is an opportunity to beat the incompetent. This report discusses the causes of security vulnerabilities in the products, risks involved in the disclosure of a vulnerability, and the position of white, grey, and black hat hackers on the discovery and disclosure of the vulnerability. The grey hat hackers who can take risks to go an extra hop to discover and solve vulnerabilities are mostly the source of information for full disclosure of the vulnerability. There must be a safe method to disclose the vulnerability, CERT/CC and bug tracking tools are the solution. There must also be an opportunity to engage grey hat hackers in a controlled environment, open-source projects and beta testing are some of the methods. License and legal laws can be used to mitigate business risks due to hostile disclosure of vulnerability by white or grey hat hackers. The full disclosure of vulnerability without a patch is an opportunity for black hat hackers.

Introduction

Most computer users, developers, and technology research engineers learn the minimum amount of technology features required to use the computer systems or specialize in a particular field of their work (Hirsch, 2006). Some are ready to accept intellectual challenges and find solutions for limitations and problems. Solutions sometimes require circumventing limitations & problems with creativity, an unethical act with a well-defined code of ethics.

Hackers find an opportunity to enhance and exercise their skills in discovering unknown problems and to find a solution to a declared problem. While hackers take pride in their ability to apply technology in an unconventional manner they have to break rules to get access to a source of information and in the process, they risk their own security and the security of the target. There are three types of hackers (Hirsch, 2006; Charles, 2008):

• White hat hacker – A hacker, who has a defined code of ethics and is non-malicious, may also be involved in altruism.
• Grey hat hacker – Due to ambiguous ethics the legality of their actions may be questionable.
• Black hat hackers – They may indulge in unauthorized acts that can destroy system security, they use technology for malicious acts.

All three types of hackers use the same technology but their goals are different.

Research method and approach

In order to conduct research on the role of hackers in the disclosure of vulnerabilities, the related literature is found on the World Wide Web. The literature studied is blog posts of eminent persons, magazine articles, and research reports. Literature is found with Netscape and Google Search Engines, the list of keywords submitted to the Search Engines is given below:

• Types of hackers,
• Role of hackers in Open Disclosure of Software vulnerabilities,
• Open Disclosure of Software vulnerabilities,

The research approach is to comprehend the topic “full disclosure of vulnerability”, identify the issues involved and what role the three types of hackers play in vulnerability disclosure. The research findings are described in the Result section of the report.

Results

Why vulnerabilities are found in the released products?

Before analyzing the issue of ethics in vulnerability disclosure it is important to find the reasons why all vulnerabilities that are security risks are found in the released products:

• In a competitive market, there is a rush to release the product to capture ‘first-to-market’ sales. Beta versions of products are released for free or at a low cost. Some problems require greenfield data that can find vulnerabilities that escaped through usability tests.
• Some problems are not found in the company laboratory and are discovered by customers. They are not known beforehand and considered uncritical as compared to solution cost involved until reported by a customer.
• For some problems, the organization may not have the in-house expertise to find and implement a solution. “… during the late ’90s, … a piece of software on behalf of a vendor” (Vulnerability Disclosure, 2008).

Risks involved in discovering and disclosing software vulnerabilities (Arora, Telang, 2008):

There are many social, professional, and financial risks involved in vulnerability disclosure:

• Public awareness about security flaws increases with open disclosure of a vulnerability, this may cause negative publicity and business loss for the vendor. Demands for a quick high-quality fix from the vendor are raised.
• If the vulnerability has been discovered by a black hat hacker the risks of uncontrolled disclosure are greater as compared to white or gray hat hackers. The black hat hacker may share the information with other hackers in the group in order to gain advantages from unauthorized access to computer systems.
• If the vulnerability is disclosed by the vendor or any other agency such as a white-hat hacker or a third party that mediates between the vendor and vulnerability reporter before a fix for the vulnerability is made available the customers of the product are at risk from black hat hacking.
• A vendor may postpone the release of the patch according to an internal measure of the seriousness of the vulnerability. A hurried patch at a later time before the planned schedule due to vulnerability exploitation by black hat hackers has a risk of introducing new problems if proper Q&A is not conducted. The best policy in such circumstances is to make the patch ready but not release it unless the vulnerability becomes critical and warrants an immediate fix.
• The legal and social hassles in discovering and reporting vulnerability can be emotionally draining, threaten job and social associations. Dr. Meunier who was a good citizen engaged in fixing web application vulnerability with his student risked his as well as his student’s career. Later, he decided to inform his students to not indulge in vulnerability disclosure but rather report the vulnerability to CERT/CC (Berinato, 2007).
• Vulnerabilities can be national security risks, therefore full disclosure is dead and responsible disclosure is the trend (Grossman, 2007).

Responsible disclosure of the vulnerability

There is a difference between reporting a vulnerability and disclosure of the vulnerability. While the former is done to the rightful authority the latter may be hostile. Responsible disclosure is a combination of both tactics; if the aim is to be benevolent then disclosure/reporting must be un-hostile so that it does not inhibit the vendor from acknowledgment (Berinato, 2007). Following are suggested methods for responsible disclosure of vulnerability:

• The credibility and eligibility of the person disclosing vulnerability must be checked (Berinato, 2007).
• The person must have ownership of the software that has vulnerability and an appropriate license (End User License Agreement – EULA and the Digital Millennium Copyright Act – DMCA) that permits the user to investigate and disclose the vulnerability.
• According to the license, the person must also have the authority to make public disclosure of the vulnerability to the right authority.
• Public disclosure of vulnerability must be a definite proof e.g. vulnerable code, however, the rights to disclose the proprietary code must be checked to avoid legal issues.
• The person or agency that receives vulnerability reports must have been authorized by the vendor to receive vulnerability reports. In an example cited by Berinato (2007) Jennifer Granick a prominent lawyer and director at Stanford Center for Internet and Society informed that a person was charged for unauthorized testing of the system, copying data, and sending it to an unauthorized person.
• If the vulnerability has been found in an unauthorized manner with an intellectual curiosity an un-hostile responsible disclosure can be made without providing proof of concept.
• If the vendor has informed the vulnerability discoverer about the fix plans then the discoverer must restrain from public disclosure of the vulnerability.

Role of hackers in full disclosure of the vulnerability

White hat hacker avoids risks and voluntarily works on vulnerabilities disclosed without patches. They make responsible disclosure of the vulnerability. Benevolence may be the starting point that can lead to money. Since intellectual challenge and new business opportunities are their main objective therefore responsible disclosure mechanisms may encourage them and mitigate the security risks due to hostile disclosure of the vulnerability.

Grey hat hackers may take risks to find and solve vulnerabilities for monetary gains. Since responsible disclosure mechanisms such as CERT/CC and bug tracking tools may not necessarily involve money their approach is hostile. They take risks but avoid legal battles; therefore the vendors can discourage them and protect the business with legal laws and license statements. The hostile nature of their business can be mitigated by engaging them in controlled vulnerability discovery such as beta testing. “Still other researchers and … they worked on a fix” (Berinato, 2007).

Black hat hackers are hostile researchers who generally work on a disclosed vulnerability without a patch to steal information and make money in an unethical manner. Disclosure of a vulnerability discovered by them may be responsible or hostile or may not be done at all. They may use the opportunity to share the vulnerability information with friends and make money unless caught. “… a portion of Black Hat’s … getting burned in the wild” (Hartsock, 2007).

Discussions, Scope & Limitations

The disclosure puts market pressure on the internal team of an organization to release the fix; it puts the customers of the software organization at great risk (SearchSecurity, 2002). The trend of releasing a beta version of software products for extensive quality assurance tests (SearchSecurity, 2002) is a phase when organizations allow full disclosure of vulnerability information and provide an opportunity to grey-hat hackers to participate in the product development with mitigated legal risks. In this manner, the organizations are also able to benefit from the skills of hackers who have safe trespassing experience.

“If the impact of a … actions to prevent a problem” (SearchSecurity, 2002). Since hackers are always on the lookout for a challenge therefore in the good faith of all including the vendor and customers of the vendor a vulnerability must be disclosed in order to protect customer data. Precaution may be required to avoid damages from black hat hackers who may consider full disclosure of vulnerability as an opportunity to gain access to unauthorized systems. The measure of monetary loss and negative publicity due to the vulnerability determines the vendor and customer action plan. A fix may be provided quickly or the concerned authorities may be informed about the security risk due to vulnerability.

“Will those who reveal the security flaws … yet be able to silence the critics!” A grey hat hacker who takes legal risks to discover vulnerabilities can be discouraged by a vendor in order to prevent negative publicity about the product. Full disclosure of vulnerability may be in the public interest but may entangle the hacker in a legal battle. The game between the hacker and the vendor puts everyone at risk, the hacker may get entangled in a legal battle, the vendor may lose faithful and potential new customers and the customers may lose critical data. Therefore a proper code of conduct is required; the hacker has self-interest that is not only an intellectual challenge but also publicity and a chance to win the bounty.

“By publicly announcing … security will be better” (Ranum, 2007). This was the proclaimed objective of full open disclosure of vulnerabilities; a better product shall be delivered by vendors due to fear of negative publicity. The grey hat hackers get an opportunity to make money by partnering with security software vendors, as a result, the customer is either forced to dump the insecure product and buy a new more secure product or buy security software to protect systems from disclosed vulnerabilities. If there are no vested interests of the person discovering a vulnerability and an intellectual challenge is the only objective then white hat hacking is the most ethical method of reporting a discovered vulnerability to the vendor. This report may include the full disclosure of the vulnerability.

Discouragement of hackers with legal threats and public relations campaigns to divert public attention from the discovered vulnerability (Jericho, 2001) has a negative influence on public interests. This may become a political and economical issue that does not prevent cyber-terrorism but instead gives a stronger party a chance to bully. Hackers are necessary scavengers who have vested self-interests for fame and money but also provide information about security issues that could put major business decisions and data at risk. A hacker may get involved in vulnerability research for the following reasons (Vulnerability Disclosure, 2008):

1. An intellectual challenge when there is nothing else to do
2. Altruism – as a reviewer or a contributor to already disclosed vulnerability
3. Self-interests such as money & fame with an opportunity to learn and practice new skills.

In order to address the interests and concerns of all involved in vulnerability discovery, the hacker, the vendor, and the customers a system for vulnerability report, tracking and solutions are required. This practice has led to most organizations also support an open-source community through the Center for Emergency Response Team/Coordination Center (CERT/CC) and bug tracking tools (Arora, Telang, 2008). “There are also attempts … exclusively to their clients” (Arora, Telang, 2008). This can increase the number of vulnerabilities reported and involve more white hat hackers to mitigate the unethical effects of hacking and can thus be beneficial for all involved.

The scope of this research is to study the effects of full disclosure of vulnerability on the actions of hackers and their reaction to the effects. The effects are opportunities to make money, intellectual challenge, and associated risks. The research does not include behavioral & economic analysis of hacker’s reaction to economic incentives and vendor’s response to full disclosure of the vulnerability, i.e. whether hackers are encouraged or discouraged to indulge in hacking and disclosure. The report only suggests that economic incentives and acknowledgment from the vendor can mitigate hacker hostility, no empirical analysis is performed. The research also finds methods that can be applied to limit the hostility, such as vendor ‘terms of use’, license, privacy policy, and report through CERT/CC. Also, illegal disclosure can be guarded with legal laws and by CERT/CC. The most important limitation found is that it is difficult to control a black hat hacking market for both disclosed and undisclosed vulnerabilities with/without patches.

Conclusion

The disclosure of a vulnerability without a fix results in information loss for the customers. The most dangerous is from the black hat hackers who consider this as an opportunity to get unauthorized access to the computer systems. Secret vulnerabilities (Arora, Telang, 2008) reported by white and gray hat hackers have less associated security risk due to the code of conduct between the hacker and the vendor. As Grimes (2005) suggests responsible disclosure is much better than full disclosure. This can be achieved through a controlled mechanism that can be audited. The risk involved in the knowledge shared with the black hats that may be used in the uncontrolled environment at a later time. However, the monetary benefits can be an incentive for cooperation between the black hat hackers and the vendors.

The negative publicity and business loss due to full open disclosure of vulnerabilities and the race to win the competition for new products have created a hostile environment. Internet and the World Wide Web provide access to computer systems that store critical information. Opportunities to make money by stealing information with unauthorized access to systems and less-than-perfect products have given rise to the exploitation of vulnerabilities. Some make a benevolent contribution, some exploit the opportunity for monetary reasons by ethical and unethical methods, and there are also those who get professional fame. In order to change this hostile environment to a controlled system that can allow hackers also known as security researchers to participate in a cooperative manner that can benefit the entire systems that include vendors, users, and hackers’ legal laws and vulnerability reporting system is required.

References

Arora, Ashish. & Telang, Rahul. (n.d.). Economics of Software Vulnerability Disclosure [Internet]. H J Heinz III School of Public Policy and Management Carnegie Mellon University. Web.

Berinato, Scott. (2007) Software Vulnerability Disclosure: The Chilling Effect [Internet]. Web.

Charles, Kellep. (2008). The Types of Hackers: Black Hat, White Hat or a Grey Hat Hacker, which type are you? [Internet]. Kellep Charles Information Security Blog Space. Web.

Empirical Study and Theoretical Models of Software Vulnerability [Internet]. (2004). CarnegieMellon. Web.

Grimes, A. Roger. (2005). The full disclosure debate [Internet]. InfoWorld. Web.

Grossman, Jeremiah. (2007). Businesses must realize that full disclosure is dead [Internet]. SC Magazine. Web.

Hartsock, Paul. (2007). Sharing Insecurities at Black Hat [Internet]. Web.

Hirsch, Werner. (2006). Hacker Perspectives [Internet]. Web.

Jericho. (2001). Microsoft’s Responsible Vulnerability Disclosure, The New Non-Issue [Internet]. Web.

Ranum, Marcus. (2007) The Vulnerability Disclosure Game: Are We More Secure? [Internet]. CSO. Web.

SearchSecurity. (2002). User comments on full disclosure of software vulnerabilities [Internet]. SearchSecurity.com. Web.

Vulnerability Disclosure – let’s be honest about motives shall we? (n.d). [Internet]. Web.