Public Disclosure
The vulnerability life cycle publicity stage begins after thorough testing of patch
development efforts. During this stage, the originator, coordinator, and vendor
cooperatively develop the content of the public disclosure in a manner agreeable
to all parties.The public disclosure process is similar to full disclosure with one
exception; the public disclosure will not include any exploited code. However,
full disclosure of technical details is included with a tested patch, potential
workarounds, and possibly an IDS signature.The idea here is to give administrators
and programmers enough information to defend against the vulnerability,
but make it difficult for the script kiddies to launch an attack exploiting the
known vulnerability.The timing of a properly conducted public disclosure must
coincide with patch availability. However, if there is a known leak of the vulnerability
or it is already being actively exploited the public disclosure will preempt
patch availability.
ISS Handling Vulnerabilities – Should You Pay?
During the latter half of 2002, Internet Security Systems (ISS) received considerable
criticism over the handling of several vulnerabilities. ISS discovered flaws in
Internet Software Consortium BIND software, Apache Web server software, and
Sun Microsystems Solaris X Windows font service. In all cases, ISS notified the
vendor and worked with them to coordinate a public disclosure with patch availability.
Irrespective of who is at fault in the handling of each incident, these procedures
were not well received by the general public. In the case of the ISC Bind
vulnerability, patches were not distributed quickly enough.The vendor patches
for the Solaris Font problem were flawed and had to be recalled. Finally, the
Apache patch was not distributed until after public disclosure, even though black
hats had been exploiting the vulnerability for over four months.
Because of these events, ISS was motivated to release a public policy
describing each step it would take when disclosing a newly discovered vulnerability.
The ISS disclosure policy contains several of the key responsible disclosure
concepts with one notable exception: ISS declares that it will disclose the vulnerability
to paying subscribers of its service one day after notifying the vendor.
Further, they may incorporate testing for the new vulnerability within their
security products. It is interesting to note that one of the key goals of responsible
disclosure is to keep knowledge of vulnerabilities within the smallest circle of
people until a patch can be developed and made public. What is to prevent a
www.syngress.com
86 Chapter 3 • Vulnerability Disclosure
black hat from subscribing to the ISS subscription service and receiving a notice
of the vulnerability one day after the vendor is notified? Is this type of selective
disclosure ethical?
Conservative ISS will not be disclosing technical details about the vulnerability,
but the black hat will know what type of vulnerability exists and
in which part of a vendor’s product.That knowledge may assist the black
hat in developing an exploit and using it on vulnerable systems before a
vendor patch is available. In addition, it is not ethically appropriate to make
money off exploitation information.This places ISS in a compromising
position because they do not make money unless there are exploits.
Liberal Making money from passing along exploited information is an
honorable trade. If it is important for an organization to obtain this information,
they will be willing to pay for it. It does take significant time and
energy to accurately research potential vulnerabilities and address them
intelligently. Black hat organizations may end up with access to this data;
however, there is nothing unethical about the information.
SUMMARY
Some may consider it unethical to charge money for product vulnerability
information and argue that this type of service provides data to the
black hat community at a fee while not all of the IT community will have
access to the vulnerability data. Others argue that there is nothing
wrong with making a profit from the disclosure process, whether the
black hat community retrieves information in this manner or not.