Home » Data Protection » Application Security

Software Vulnerability Disclosure: The Chilling Effect

How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal

What happens next depends, largely, on those who publish vulnerable software on the Web. Will those with vulnerable websites, instead of attacking the messenger, work with the research community to develop some kind of responsible disclosure process for Web vulnerabilities, as complex and uncertain a prospect as that is? Christey remains optimistic. "Just as with shrink-wrapped software five years ago, there are no security contacts and response teams for Web vulnerabilities. In some ways, it's the same thing over again. If the dynamic Web follows the same pattern, it will get worse before it gets better, but at least we're not at square one." Christey says his hope rests in part on an efficacious public that demands better software and a more secure Internet, something he says hasn't materialized yet.

Or will they start suing, threatening, harassing those who discover and disclose their Web vulnerabilities regardless of the researchers' intention, confidently cutting the current with the winds of McCarty's guilty plea filling their sails? Certainly this prospect concerns legal scholars and researchers, even ones who are pressing forward and discovering and disclosing Web vulnerabilities despite the current uncertainty and risk. Noble as his intentions may be, RSnake is not in the business of martyrdom. He says, "If the FBI came to my door [asking for information on people posting to the discussion board], I'd say 'Here's their IP address.' I do not protect them. They know that."

He sounds much as Meunier did when he conceded that he'd have turned over his student if it had come to that. In the fifth and final point he provides for students telling them that he wants no part of their vulnerability discovery and disclosure, he writes: "I've exhausted my limited pool of bravery. Despite the possible benefits to the university and society at large, I'm intimidated by the possible consequences to my career, bank account and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: 'There is no way to report a vulnerability safely.'"

E-mail feedback to Senior Editor Scott Berinato.