Software Vulnerability Disclosure: The Chilling Effect

How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal

1 2 3 Page 3
Page 3 of 3

"Law says you can't access computers without permission," she explains. "Permission on a website is implied. So far, we've relied on that. The Internet couldn't work if you had to get permission every time you wanted to access something. But what if you're using a website in a way that's possible but that the owner didn't intend? The question is whether the law prohibits you from exploring all the ways a website works," including through vulnerabilities.

Granick would like to see a rule established that states it's not illegal to report truthful information about a website vulnerability, when that information is gleaned from taking the steps necessary to find the vulnerability, in other words, benevolently exploiting it. "Reporting how a website works has to be different than attacking a website," she says. "Without it, you encourage bad disclosure, or people won't do it at all because they're afraid of the consequences." Already many researchers, including Meunier at Purdue, have come to view a request for a researchers' proof-of-concept exploit code as a potentially aggressive tactic. Handing it over, Meunier says, is a bad idea because it's proof that you've explored the website in a way the person you're giving the code to did not intend. The victim you're trying to help could submit that as Exhibit A in a criminal trial against you.

RSnake says he thought about these issues before he started his discussion thread. "I went back and forth personally," he says. "Frankly, I don't think it's really illegal. I have no interest in exploiting the Web." As for others on the discussion board "everyone on my board, I believe, is nonmalicious." But he acknowledges that the specter of illegality and the uncertainty surrounding Web vulnerability disclosure are driving some researchers away and driving others, just as Granick predicted, to try to disclose anonymously or through back channels, which he says is unfortunate. "We're like a security lab. Trying to shut us down is the exact wrong response. It doesn't make the problem go away. If anything, it makes it worse. What we're doing is not meant to hurt companies. It's meant to make them protect themselves. I'm a consumer advocate."

A Limited Pool of Bravery

What happens next depends, largely, on those who publish vulnerable software on the Web. Will those with vulnerable websites, instead of attacking the messenger, work with the research community to develop some kind of responsible disclosure process for Web vulnerabilities, as complex and uncertain a prospect as that is? Christey remains optimistic. "Just as with shrink-wrapped software five years ago, there are no security contacts and response teams for Web vulnerabilities. In some ways, it's the same thing over again. If the dynamic Web follows the same pattern, it will get worse before it gets better, but at least we're not at square one." Christey says his hope rests in part on an efficacious public that demands better software and a more secure Internet, something he says hasn't materialized yet.

Or will they start suing, threatening, harassing those who discover and disclose their Web vulnerabilities regardless of the researchers' intention, confidently cutting the current with the winds of McCarty's guilty plea filling their sails? Certainly this prospect concerns legal scholars and researchers, even ones who are pressing forward and discovering and disclosing Web vulnerabilities despite the current uncertainty and risk. Noble as his intentions may be, RSnake is not in the business of martyrdom. He says, "If the FBI came to my door [asking for information on people posting to the discussion board], I'd say 'Here's their IP address.' I do not protect them. They know that."

He sounds much as Meunier did when he conceded that he'd have turned over his student if it had come to that. In the fifth and final point he provides for students telling them that he wants no part of their vulnerability discovery and disclosure, he writes: "I've exhausted my limited pool of bravery. Despite the possible benefits to the university and society at large, I'm intimidated by the possible consequences to my career, bank account and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: 'There is no way to report a vulnerability safely.'"

E-mail feedback to Senior Editor Scott Berinato.

1 2 3 Page 3
Page 3 of 3
NEW! Download the Fall 2018 issue of Security Smart