Home » Data Protection » Application Security

Software Vulnerability Disclosure: The Chilling Effect

How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal

The price consumers pay for supporting cheaper, buggy software is they become an ad hoc quality control department. They suffer the consequences when software fails. But vendors pay a price, too. By letting the market sort out the bugs, vendors have ceded control over who looks for flaws in their software and how flaws are disclosed to the public. Vendors can't control how, when or why a bug is disclosed by a public full of people with manifold motivations and ethics. Some want notoriety. Some use disclosure for corporate marketing. Some do it for a fee. Some have collegial intentions, hoping to improve software quality through community efforts. Some want to shame the vendor into patching through bad publicity. And still others exploit the vulnerabilities to make money illicitly or cause damage.

"Disclosure is one of the main ethical debates in computer security," says researcher Steve Christey. "There are so many perspectives, so many competing interests, that it can be exhausting to try and get some movement forward."

What this system created was a kind of free-for-all in the disclosure bazaar. Discovery and disclosure took place without any controls. Hackers traded information on flaws without informing the vendors. Security vendors built up entire teams of researchers whose job was to dig up flaws and disclose them via press release. Some told the vendors before going public. Others did not. Freelance consultants looked for major flaws to make a name for themselves and drum up business. Sometimes these flaws were so esoteric that they posed minimal real-world risk, but the researcher might not mention that. Sometimes the flaws were indeed serious, but the vendor would try to downplay them. Still other researchers and amateur hackers tried to do the right thing and quietly inform vendors when they found holes in code. Sometimes the vendors chose to ignore them and hope security by obscurity would protect them. Sometimes, Arora alleges, vendors paid mercenaries and politely asked them to keep it quiet while they worked on a fix.

Vulnerability disclosure came to be thought of as a messy, ugly, necessary evil. The madness crested, famously, at the Black Hat hacker conference in Las Vegas in 2005, when a researcher named Michael Lynn prepared to disclose to a room full of hackers and security researchers serious flaws in Cisco's IOS software, the code that controls many of the routers on the Internet. His employer, ISS (now owned by IBM) warned him not to disclose the vulnerabilities. So he quit his job. Cisco in turn threatened legal action and ordered workers to tear out pages from the conference program and destroy conference CDs that contained Lynn's presentation. Hackers accused Cisco of spin and censorship. Vendors accused hackers of unethical and dangerous speech. In the end, Lynn gave his presentation. Cisco sued. Lynn settled and agreed not to talk about it anymore.