![[topcap]](/images/floating_sidebar_topcap.png){kind=small}
![[bottomcap]](/images/floating_sidebar_bottomcap.png){kind=small}
I was involved in disclosing a vulnerability found by a student to a production web site using custom software (i.e., we didn’t have access to the source code or configuration information). As luck would have it, the web site got hacked. I had to talk to a detective in the resulting police investigation. Nothing bad happened to me, but it could have, for two reasons.
The first reason is that whenever you do something “unnecessary”, such as reporting a vulnerability, police wonder why, and how you found out. Police also wonders if you found one vulnerability, could you have found more and not reported them? Who did you disclose that information to? Did you get into the web site, and do anything there that you shouldn’t have? It’s normal for the police to think that way. They have to. Unfortunately, it makes it very uninteresting to report any problems.
A typical difficulty encountered by vulnerability researchers is that administrators or programmers often deny that a problem is exploitable or is of any consequence, and request a proof. This got Eric McCarty in trouble — the proof is automatically a proof that you breached the law, and can be used to prosecute you! Thankfully, the administrators of the web site believed our report without trapping us by requesting a proof in the form of an exploit and fixed it in record time. We could have been in trouble if we had believed that a request for a proof was an authorization to perform penetration testing. I believe that I would have requested a signed authorization before doing it, but it is easy to imagine a well-meaning student being not as cautious (or I could have forgotten to request the written authorization, or they could have refused to provide it…). Because the vulnerability was fixed in record time, it also protected us from being accused of the subsequent break-in, which happened after the vulnerability was fixed, and therefore had to use some other means. If there had been an overlap in time, we could have become suspects.
The second reason that bad things could have happened to me is that I’m stubborn and believe that in a university setting, it should be acceptable for students who stumble across a problem to report vulnerabilities anonymously through an approved person (e.g., a staff member or faculty) and mechanism. Why anonymously? Because student vulnerability reporters are akin to whistleblowers. They are quite vulnerable to retaliation from the administrators of web sites (especially if it’s a faculty web site that is used for grading). In addition, student vulnerability reporters need to be protected from the previously described situation, where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem. Unlike security professionals, they do not understand the risks they take by reporting vulnerabilities (several security professionals don’t yet either). They may try to confirm that a web site is actually vulnerable by creating an exploit, without ill intentions. Students can be guided to avoid those mistakes by having a resource person to help them report vulnerabilities.
So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited. I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student. My superiors also requested that I cooperate with the detective. Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized? Thankfully, the student bravely decided to step forward and defused the situation.
As a consequence of that experience, I intend to provide the following instructions to students (until something changes):
- If you find strange behaviors that may indicate that a web site is vulnerable, don’t try to confirm if it’s actually vulnerable.
- Try to avoid using that system as much as is reasonable.
- Don’t tell anyone (including me), don’t try to impress anyone, don’t brag that you’re smart because you found an issue, and don’t make innuendos. However much I wish I could, I can’t keep your anonymity and protect you from police questioning (where you may incriminate yourself), a police investigation gone awry and miscarriages of justice. We all want to do the right thing, and help people we perceive as in danger. However, you shouldn’t help when it puts you at the same or greater risk. The risk of being accused of felonies and having to defend yourself in court (as if you had the money to hire a lawyer — you’re a student!) is just too high. Moreover, this is a web site, an application; real people are not in physical danger. Forget about it.
- Delete any evidence that you knew about this problem. You are not responsible for that web site, it’s not your problem — you have no reason to keep any such evidence. Go on with your life.
- If you decide to report it against my advice, don’t tell or ask me anything about it. I’ve exhausted my limited pool of bravery — as other people would put it, I’ve experienced a chilling effect. Despite the possible benefits to the university and society at large, I’m intimidated by the possible consequences to my career, bank account and sanity. I agree with HD Moore, as far as production web sites are concerned: “There is no way to report a vulnerability safely”.
Edit (5/24/06): Most of the comments below are interesting, and I’m glad you took the time to respond. After an email exchange with CERT/CC, I believe that they can genuinely help by shielding you from having to answer questions from and directly deal with law enforcement, as well as from the pressures of an employer. There is a limit to the protection that they can provide, and past that limit you may be in trouble, but it is a valuable service.
del.icio.us »
Digg this »
May 22nd, 2006 at 2:35 pm
Before any exploits or intrusions, developers/administrators dismiss warnings and recommendations; once something concrete happens, they assume the worst and bring in law enforcement and waste enormous resource to harass the bug reporter. Some do it for revenge; some do it to show that they’re doing a good job; yet others do it so that they can assure the community, “whoever responsible for the break-in has been tracked down and will be investigated.” Accompanying that comment is often the public relations statement, “fortunately the attacker was stopped before doing more serious damages,” stealing credit from the person who did the research.
Going after the security researcher is safe and easy, so they do. When real attacks are waged from malicious parties, however, the standard procedure is to cover up.
May 22nd, 2006 at 4:47 pm
“where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem.”
Been there, done that. Got arrested, got lucky, found not gulty for all but one charge, but lost three computers becose the cort did figure out it was wrong of me to use a pwd (I did test the flaw, big mistake), even if it was on a public C: drive for everyone to see and in a clear text file. I am never going to report a bug in a computer system in a school, company or somewhere else agen. Don’t care what the type of the flaw is, it’s there own problem, they can handle there own infestation. I have reported wrong settings in a IBP forums and such when i register.
But i do so really cearful and I don’t test the limit of the wrong setings, I just let the admin know with a pm or a simple post. Lucky for me, this is not common, but I have seen it.
May 22nd, 2006 at 4:58 pm
The best way to report such things is anonymously. And if they don’t fix it, put all the details & code required to hack ‘em on Full-Disclosure or somewhere like that.
I had an exploit I found by accident that compromised the network drives given to students of a certain, nameless university. I reported it anonymously, they (eventually) fixed it, and I never had any problems. Of course, I was nice and I never reported it to anyone but them. But given the huge lack of clue I ran into at times, well, I was probably right to worry.
So like I said: be anonymous. They can’t sue you if they can’t find you.
May 22nd, 2006 at 5:00 pm
How about sending a single email to the site admin from an anonymous email account?
May 22nd, 2006 at 5:10 pm
[...] CERIAS has a blog post on Vulnerability Reporting For The Brave, which based on the title alone already had me ready to pick it apart line by line. [...]
May 22nd, 2006 at 5:11 pm
Heh it’s kinda risky publishing vulnerability information nowadays. As you know, full disclosure in France is now crime, as well as writing exploits.
It seems the fear consumes them. So, find your bugs, write your exploits, keep them private and hack whoever you want (first target: Eugene Spafford heh)
May 22nd, 2006 at 5:13 pm
Is that anonymous as in ‘i don’t tell you who i am’, or anonymous as in ‘you couldn’t possibly find out who i am, no matter how hard you try’?
How do you distinguish one from the other? And, should your attempt at the latter fail, does your extra effort in hiding your identity diminish your claim to be a simple ‘good Samaritan’?
May 22nd, 2006 at 5:16 pm
the reality is that some websites can harm people. Banking, Health and other information is availible via the web. If you have found a big enough bug, don’t tell anyone. send it the basics in a legal text that is not fully incriminating from a hotspot, or other open network that is not so traceable, using a temp mail portal. I know it seams like a bad line from “Sneakers” or “Hackers” or some other movie, but we do have a reasonable need to promote security. Even the best admin can miss something. Better to miss it and have a concerned end user point it out than lose millions and harm real people from not knowing.
The sad fact is, we are cultivating a nirvana for those we wish to do harm. A better responce yet is to call you local goverment official and make sure they understand what they are enacting, when they slap our hands for doing what is RIGHT.
May 22nd, 2006 at 5:20 pm
Perhaps a pre-emptive strike would be better:
If the web site is part of an organization which has accepted your credit card info, or has required you to submit to them personal information such as a SSN or grades, or health insurance info, get a lawyer and sue them for breach of privacy. Or complain to a Federal Agency that the organization is exposing your personal info. Even if the website ultimately is shown to have no physical connection to a database that has the info, they both go into the same organization, and the info may, at some level, be accessible.
Make it a public complaint; strike first.
May 22nd, 2006 at 5:26 pm
Yeah I understand this. Got in a decent amount of hot water for reporting a bug that got me access to a whole boatload of stuff I shouldn’t have. Phone records, student records, private SSL keys, etc., I think the only reasons I wasn’t expelled was that I was friends with one of the sysadmins.
Also if any of them are reading this: Hi Dave, Phopp, Mary, etc.,
May 22nd, 2006 at 5:29 pm
I personally wouldn’t recommend helping big vendors out, no good deed goes unpunished in my experience.
May 22nd, 2006 at 5:46 pm
I had a vulnerability reported against my code once, which was invalid. The reporter found an interface flaw (which was not written particularly robustly) but then of course was stopped when he tried to take action with the form at the end of the multi-page form by the underlying business logic (which was written robustly) and clearly said he’d been blocked.
Of course, what pissed me off the most is that, valid or otherwise, he reported the invalid exploit to a public forum FIRST and didn’t come to us privately.
And frankly, with websites if you report publically, then black hats on those lists are going to wonder what ELSE is weak and go gunning for the you, which is exactly what happened.
1 day after the intial report, some teenagers from Dallas broken in (via bind we _think_) and we had to scorched earth half a dozen servers.
And then the guy had the hide to offer to consult with us to fix it.
Bastard.
(sorry, just venting, consider it a reminder to report privately first and at least give us poor coders a chance to avoid becoming a giant target)
May 22nd, 2006 at 5:53 pm
In light of this, several other articles, and a few months of research - would it be beneficial to people to have a website designed to be a gateway for anonymously reporting vulnerabilites?
I’m thinking of a site that would not record ANY (no IP’s in the access logs) personal information of the people using it that would act as a go-between between the researchers and the sites they’ve discovered the vulnerabilities in. The researcher would submit the vulnerability to the site, the site would then contact the target site and inform them of the possibility of an exploit. All parties would be protected as the researchers submit anonymously and the site itself did nothing more than pass on information (they themselves did not conduct the research/exploit).
May 22nd, 2006 at 5:55 pm
Are we becoming so totalitarian?
My political science teacher explained that the reason so many North Koreans could not fit into South Korean culture after finding a way home was because of a significant culture differece. Typically a N. Korean is discouraged from any sort of self initiative by the government / employer / etc. When they get to S. Korea and are given a large immigrant stipend from the S. Korean government to get their lives back on track, they often wind up homeless or in the most menial of jobs because they don’t fit into the robust, curious and motivated S. Korean culture.
I don’t want the US to become like N. Korea.
May 22nd, 2006 at 5:55 pm
It is always easier to kill the messager than to kill the message. Is history repeating itself?
It saddens me utterly that people are giving in to this type of intimidation. It is understandable and at the same time unforgivable.
This is the end of any and all of the values that build the medium in the first place.
I have no problem reporting any problem I care about. Eventhough someone might want to haunt me for whatever misguided reason. Some basic principles _are_ worth fighting for.
May 22nd, 2006 at 6:25 pm
If you need to stay anonymous, for this or any purpose, I recommend Tor (http://tor.eff.org/).
May 22nd, 2006 at 6:28 pm
Gotta have your lawyer in your back pocket at all times.. Its Sad, but you don’t want to get burned bad, or incriminate your self.
May 22nd, 2006 at 7:10 pm
You think this is bad? Someone I know found a dead body underwater while scuba diving, and reported it to the police. The police arrested her and treated her as a murder suspect. She swears she will NEVER report any crime again, especially a dead body.
I know police is supposed to suspect everyone, but they could have investigated her surreptitiously. As is, they succeeded in creating a person who will never help them again.
May 22nd, 2006 at 7:14 pm
I wrote an article called “It’s 2am, do you Know What Your IT Staff Are Doing?” (http://www.nist.org/news.php?extend.118) that outlines the recent such case at USC. But the article tries to explain from a legal point of view why most businesses would be very stupid to report someone intruding in to their system. Regardless of their intent. The best thing you can do is NOT to hunt for vulnerabilities on someone else’s system. If you stumble upon something, totally by accident, report it anonymously if you left no trail (which if it truly was by accident then you shouldn’t haven’t been covering your tracks), or simply ignore it. I think most people hunt for vulnerabilities for egotistical reasons, they want the glory. So being totally anonymous probably doesn’t appeal to most people.
I don’t want to hijack this great discussion so please direct any comments back here.
May 22nd, 2006 at 8:23 pm
The problem today is the black hats are protected by numerous laws and privacy regulations. Most of them are incredibly stupid and arrogant, so finding them is pretty easy - they brag, they tell everyone they meet, and so on.
The ones that are not so incredibly stupid are still out there. Ready and willing to do however much damage they can, just because they can. There are no consequences for them, and they believe it is their target’s fault they are able to wield such power.
So all you have are stupid script kiddies and innocent do-gooders that are just trying to help. Unfortunately, it is almost impossible to tell the difference between the two from the outside and without any special knowledge.
Until the black hat folks are stopped, this sort of thing will continue to happen. Trying to be a do-gooder will get you lumped in with the script kiddies and you do stand a good chance of being prosecuted.
May 22nd, 2006 at 8:23 pm
[...] In a previous blog, I discussed how vulnerable our Internet was to attacks and that there are really no hard and fast solutions to these problems. Plus the fact that there are a good number of times that when you report a vulnerability you get in trouble because your guilt is presumed. This and other reasons make it difficult to ensure that systems are in tip top shape (security-wise). What makes things worst are inherent weaknesses of the Internet that can be exploited such as the Domain Name System (DNS) and the use of Distributed Denial of Serivce (DDOS). These problems affect everybody and do not single out a paricular country or region as vulnerable. [...]
May 22nd, 2006 at 8:36 pm
No - F them.
If the world is reaching the point where helping someone is more trouble than it is worth - then let them reap the rewards of promoting that kind of internet.
If they want that sort of help - let them put up on their page or net.issue how to reach them for possible bugs/exploits.
Like the author said, if it isn’t life or death then it isn’t worth making an issue out of.
Let them sink their fangs into the real trouble makers.
May 22nd, 2006 at 8:45 pm
I think the final word of advice got cut off at the end of the post:
6. Curl into a ball until the bully stops kicking you. Weep. Live life in fear, ensuring you never do anything that any other person would consider wrong in case they come get you. If they do, start this step again.
May 22nd, 2006 at 10:17 pm
Treat computers as if they were buildings. You wouldn’t go around testing the locks on strange office buildings: don’t go around testing the security on strange websites. If you found an office building with its front door open you wouldn’t go inside to prove that it was really unlocked: treat websites the same way.
If you do happen to notice a vulnerability in the normal course of your dealings with the website then there is nothing you can do that will not make you a suspect. It really is true that guilty parties are often the ones who report crimes. Anything you do to lower your profile could be seen as evidence of a guilty mind. The safest thing to do is to terminate your dealings with that website, check that your passwords are secure, and move on.
May 22nd, 2006 at 10:22 pm
Trying to find SQL injection vulnerabilities just for fun is like trying to open the door of every car in your neighbourhood. Sure, someone will have left the car unlocked (I do sometimes) and maybe you can do him a big favour by opening the door, locking it and leaving. But what if a cop is watching you? You BROKE INTO SOMEONE ELSE’S CAR and you will be arrested. And what if the owner left the keys inside because he was urged to pee, and when he comes back he finds the car locked with the keys inside? And what will you do if the car alarm goes off?
Instead, if you see a car that is *evidently* unlocked (so evident that you can tell it from outside the car) and you know for sure you can alert the owner or someone responsible for the car (like a parking lot owner), you look for him and tell him. Otherwise, you just stay out of trouble and hope for the best.
Same thing if you go to a restaurant and find a gun under a table. Will you take it and try to fire it so you can be sure it’s dangerous or just alert the authorities?
There’s no reason it should be different in the internet - take care of yourself before taking care of someone else…and don’t let your ego and your dreams of becoming a hero ruin your life.
May 22nd, 2006 at 10:29 pm
[...] Brave Professor Teaches New Vulnerability Reporting Trick The trick: don’t; that is basically the gist of what Pascal Meunier, a professor at Perdue, has to say after his brisk run-in with the law following the time that he reported a flaw in a web application in conjunction with a student of his, who found the vulnerability. If you find strange behaviors that may indicate that a web site is vulnerable, don’t try to confirm if it’s actually vulnerable. Try to avoid using that system as much as is reasonable. Don’t tell anyone (including me), don’t try to impress anyone, don’t brag that you’re smart because you found an issue, and don’t make innuendos. However much I wish I could, I can’t keep your anonymity and protect you from police questioning (where you may incriminate yourself), a police investigation gone awry and miscarriages of justice. We all want to do the right thing, and help people we perceive as in danger. However, you shouldn’t help when it puts you at the same or greater risk. The risk of being accused of felonies and having to defend yourself in court (as if you had the money to hire a lawyer — you’re a student!) is just too high. Moreover, this is a web site, an application; real people are not in physical danger. Forget about it. Delete any evidence that you knew about this problem. You are not responsible for that web site, it’s not your problem — you have no reason to keep any such evidence. Go on with your life. If you decide to report it against my advice, don’t tell or ask me anything about it. I’ve exhausted my limited pool of bravery — as other people would put it, I’ve experienced a chilling effect. Despite the possible benefits to the university and society at large, I’m intimidated by the possible consequences to my career, bank account and sanity. I agree with HD Moore, as far as production web sites are concerned: “There is no way to report a vulnerability safely”. How great, that modern professors are teaching such brave responsibility to their students. As a software developer, I can see this from both sides, sort of. I definitely understand the developers giving the bug reporter’s information to the police in hopes that they could lead them to the hacker. After all, who is the most likely person to hack the site? A person that knows a vulnerability, and maybe learned some more. From the reporter’s side, I can understand being a little troubled about being reported to the police, especially if you are innocent, but at the same time, I would understand that the police are just following sensible leads. It really saddens me that a professor would not at least suggest to report vulnerabilities anonymously in such a case. I can imagine that this professor was too ignorant to think of this idea, but I have known professors to be far dumber. No, I think this is the professor’s way of legitimizing laziness. Yes, I have reported possible vulnerabilities to closed source vendors (including a company that I used to work for), and even code documentation (MSDN) and I am not worried about being grabbed for hacking someone’s web server through a fix I suggested because I have nothing to hide and I am not worried about losing a few hours of my day after a company probably lost thousands of dollars (though, I will say that I am no where near as important as an impowered professor). Published Monday, May 22, 2006 8:57 PM by Picky [...]
May 22nd, 2006 at 11:11 pm
[...] I came across this nice article: Reporting Vulnerabilities is for the Brave by Pascal Meunier. The article speaks about how frequently vulnerability researchers come face to face with the ugly side of disclosing vulnerabilities, such as in the case of Eric McCarty. [...]
May 22nd, 2006 at 11:29 pm
If you find a vulnerability and there is YOUR sensitive data in the application, sue the company/school for wrongly exposing YOUR sensitive data.
It’s true that the web server and application belong to them, but YOUR data belongs to YOU. You did not give them permission to share it with the world. You don’t have to give details on the vulnerability or “prove it”. The burden of guilt is upon them.
May 23rd, 2006 at 12:30 am
I was refered to this blog by a friend.. maybe cause i have been through this before.. like they say.. been there done that.. There are many websites i come across daily who are exploitable.. at most nowdays I see if there is anything useful for me and keep quite about it..
Risk factor of doing a good deed increase’s when its a goverment site u come across which is vulnerable. They are like double edge sword which are ignored by administrators and hackers alike unless some misfit brave soul decide’s to hack it.
In past i have been thanked for reporting bugs but nowdays mostly threatened by law suites.. which has forced me to threw away my grey-white hat and get along with black which suites my needs and hides my deeds well . .
Many have recommened anonymous proxies and mails to report such things.. but my experience says they are mostly ignored unless the sender ip can be confirmed to be prosecuted..
In todays world its best to mind your own business and ignore them unless u are paid to look at it.. Nobody cares even if millions of credit cards get hacked each day and not reported for this very same reason..
May 23rd, 2006 at 12:50 am
Every vulnerability is an asset and should be sold to a persons who can appreciate your knowledge,skill and time spent to discover these vulnerabilities.
Mind *YOUR* own business.
May 23rd, 2006 at 1:17 am
I entered an IP address that was one number off when accessing a VNC connection and stumbled onto a a computer that was linked to a VPN of a major merchant bank. The teleworker using the system was processing lease financing applications. Apparently the nice IT boys & girls from the bank who set up Mr. Telecommuter’s system decided to put in VNC for a little remote administration and neglected to even set a password. I’m sure they told him “you’re on the VPN, everthing’s secure, no sweat, don’t worry”. The kicker is that although I could see all kinds of email addresses, I could never see HIS email address, and I could not come up with another reasonable way to let him know the magnitude of his insecurity without exposing myself to all kinds of potential risk. So in the end I just let it go. Proves three things: 1) with no reasonable system to report vulnerabilities, white hats finding them just won’t report them; 2) there really is no such thing as security by obscurity; and 3) even major merchant banks with uber-secure VPNs can be done in by one dumb-ass IT “professional”.
May 23rd, 2006 at 1:34 am
You guys (and girls) that think you are smart and report bugs/holes etc anonymously, please be adviced that it is hard to be anonymous.
If you submit data in a webform, your IP will show. If you create a brand new email account (yahoo, google, whatever) your IP will be included in the recipients mail header. The owner of the system you use will leave information to the authorities (or others) if they become preassured.
To be anonymous is NOT easy!
May 23rd, 2006 at 1:49 am
If people we’re not lying you wouldn’t need police and there you would be able to report any bug you want to report. But they should consider that YOU’re reporting a bug, not that THE NEIGHBOOR is reporting the fact that you know a bug.
May 23rd, 2006 at 2:17 am
[...] read more | digg story [...]
May 23rd, 2006 at 2:34 am
“Reporting vluns is for the braves”: You are very right. This is even if you are employed by a company to find vulns and report them. People always have these after thoughts about why you do what you do in the first place.
May 23rd, 2006 at 4:07 am
[...] Today I read about this article on Slashdot. It is written by a teacher who helped a student reporting a vulnerability on a public (commercial?) website. Because shortly after their report the website was hacked and the police investigated the case, they were almost treated like criminals. I think this is ridiculous. It is almost the same that you will get arrested when you report a suspicious bag on a railway station or warn a house owner when you see that he left his front door open. Fortunately, here in the Netherlands there is no law which enables the police to arrest people for reporting a vulnerability as far as I know (and according to a teacher at our university). Hopefully the EU will not take the US law as an example for this kind of stuff, because the people over there who created this law are obviously not aware of the daily practice regarding the discovery of flaws in software. A typical example of the ignorance of some politician. The teacher in the article concludes that you should destroy all the evidence that you are aware of an existing vulnerability and certainly not tell the developer/site owner about the bug. While it may be the best thing to do, it is really crazy that you should do this. How the hell do politician want the get a ’safer and better world’ when it is not allowed to report defects? On the other side, it explains the growing number of spam, the increase in identity theft, the new problems with phising and so on… if they are not going to change this laws and rules, I think we are only seeing the beginning of these things. [...]
May 23rd, 2006 at 6:30 am
I found this whole discussion so sad - so full of cynicism. It seems all respondants fell into the same hopelessness - for lack of a better word. We can’t just leave it like that, or we are lost as a human family. We must not give up so easily on our natural urge to help our fellows. Please, somebody - offer a ray of hope. When we just walk on by when we see a brother in distress (It’s not my problem!) it diminishes us all.
May 23rd, 2006 at 6:46 am
And then comes proof of why we need internal auditors and paid PEN testers. http://www.nist.org/comment.php?comment.news.118 This is totally unsatisfactory!
May 23rd, 2006 at 9:15 am
[...] What should you do if you discover an info security vulnerability in a website or other piece of software? Report it, right? Think carefully before you do - your knowledge of the flaw may be taken as evidence against you! [...]
May 23rd, 2006 at 10:35 am
You always need to look at the “terms of use” section of the website, and not do anything that is beyond what is permitted there. In some cases if you even “view source” on a fancy webpage (e.g. AJAX), your actions could be interpreted as an infringement on the “do not reverse engineer” terms of the Digital Milennium Copyright Act.
May 23rd, 2006 at 11:27 am
—–BEGIN PGP SIGNED MESSAGE—–
CERT/CC can (most of the time) help. We have a Vulnerability Analysis Team whose day job includes reporting vulnerabilities to vendors, including web site developers/owners. To speak to a couple of the legitimate concerns raised in this thread: We can act as a proxy to maintain the anonymity of a reporter, and we are usually better positioned to deal with angry vendors, legal threats, law enforcement, etc.
To report to CERT/CC, please see our old-school text vulnerability reporting form:
http://www.cert.org/reporting/vulnerability_form.txt
And here is our still-accurate-but-slightly-dated vulnerability disclosure policy:
http://www.cert.org/kb/vul_disclosure.html
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.1 (GNU/Linux)
iQCVAwUBRHM3iETFt36OlbLxAQHi5AP9HcDQQc6D8V+vEvSAS0QX1rHc1NFwpE9l
/NyllFPcenyq8xxNzCxU3bTafTZCiP6wY+Bcoc5CRsNS7V1wCWLwCci97P7JgsRt
b9IHjhmrf5tPdkgHxwa8RWBDFzZ0ITO2e+/nd+kG2BGQxWFkwHA+/We+PXWClMLo
khfijr65H6c=
=jt9n
—–END PGP SIGNATURE—–
May 23rd, 2006 at 2:15 pm
Moreover, this is a web site, an application; real people are not in physical danger. Forget about it.
Oh really? It’s just an application, no people are affected. How about applications that handle sensitive data, bank transactions, medical records, et al? Who are you kidding? In today’s increasingly online world, such a statement is just pure nonsense.
Hell, maybe people should stop reporting OS security flaws as well. Have you ever looked at who reports the security flaws in Apple’s Mac OS? Half the time, it’s ordinary people. Damn I wish they would stop! My Mac is just too secure!
Puhlease.
May 23rd, 2006 at 3:14 pm
Your story reminds me of my own — while a student (1996), I found a vulnerability that granted me access to anyone’s account in the university. Fearful of reprisals, although I believed I’d done nothing wrong, I asked a friend (and staff member) to relay the vulnerability. He did, and nothing bad ever came from it. I don’t know how much ten years have changed the culture, but I fear for students that can’t explore and discover.
May 23rd, 2006 at 3:28 pm
[...] Und wieder einmal ist es besser, Sicherheitsluecken fuer sich zu behalten. Pascal Meunier, ein Wissenschafter am Center for Education and Research in Information and Assurance der Purdue Universitaet in Indiana, schreibt in einem Blog Eintrag ueber einen neuen None Disclosure Fall. Einer seiner Studenten hat eine Sicherheitsluecke in einer Webapplikation aufgedeckt und ihm mitgeteilt. Die Sicherheitsluecke wurde gefixt, die Seite wurde gehackt. Die Bullen wollten wissen welcher Studi das war, aber er hats ihnen nicht gesagt. In dem Blog Eintrag schreibt er: it should be acceptable for students who stumble across a problem to report vulnerabilities anonymously through an approved person [...]
May 24th, 2006 at 4:01 am
This is one of those situations where it’s easy to see both sides. The real problem is the culture we’re developing where we attack people for trying to help.
It’s like suing somebody for breaking your arm whilst pulling your unconscious body from a burning building.
Of course, you can look at it the other way. If you have a website/application/body in a burning building.. what would you prefer? For somebody to help you, or for somebody who can help to “pass by on the other side” for fear you might act against them?
It’s a sad day when somebody goes after the good samaritan. The solution is clearly to stop these attacks on the person who attempts to help. Until we solve that issue, more and more people are going to stop helping, and the world becomes a shittier place for us all.
In this particular case, it’s not an immediate life-or-death situation. So you can be cautious. If you stumbled across a suspected flaw whilst doing only things you’re supposed to be doing… then a message to the admins explaining your suspicions and outlining exactly how they arose is the obvious first step. If you offer to help them investigate further with written permission to do so, the choice is theirs. If they turn you down, screw ‘em. At least you tried. But do NOT attempt to prove you’re right just “because you can”. And keep a copy of all correspondance.
May 24th, 2006 at 5:47 am
As a coder I think it’s utter nonsense for me to attack someone for reporting a vulnerability in my application. I’d instead be extremely grateful.
Actually most of the time I think the coder community doesn’t know what they are doing. In the end vulnerabilities occur because coders don’t think twice or thrice about their class/object/property/method invocation, because the thrill is in seeing the darn app work, and the adrenaline rush dies down after the app goes out the door. Code walkthroughs are more and more rare these days.
May 24th, 2006 at 7:18 am
Seeing as the programs get handed over to non-coders once they’re done, it ends up being that the non-coders get these vulnerability reports. They freak, since they lack the background and tools to deal with the problem.
Even when the report lands in a coder’s lap, it’s usually not the original coder, nor is it in the lap of a person who is in a position of power to swiftly decide upon the problem. So panic ensues.
If it were a personal project and the original developer got the report then the reaction would be better. But since the report ends up being bogged down by non-techs and beurocrats.. things get hairy.
May 24th, 2006 at 7:25 am
Reportar vulnerabilidades es para valientes
Si encuentras comportamientos extraños en un sitio web, no intentes confirmar que es vulnerable, no se lo cuentes a nadie ni intentes fardar, olvídalo, borra cualquier evidencia que implique que conoces el problema, no eres responsable de ese sitio w…
May 24th, 2006 at 6:00 pm
Toda Buena Acción Será Castigada ®
Tal como lo detalla Pascal Meunier (un científico del Center for Education and Research in Information and Assurance) en su blog, la tarea, casi siempre "de onda", de reportar vulnerabilidades en software o sit …
May 25th, 2006 at 2:44 am
Why are you afraid of becoming a suspect?
A suspect is not a convict.
Pascal Meunier has given two reasons for you to be afraid:
1 The police will suspect you
So what?
2 They’ll want to speak to the student who found the vulnerability?
So what?
You’ve found a vulnerability and you feel it’s your civic duty to report it, but you don’t feel it’s your civic duty to help the police follow it up?
It seems to me that the problem is your lack of confidence in the justice system of your society, not in the way vulnerability reports are handled.
May 25th, 2006 at 3:34 am
@Mulhall: You obviously think that the prisons are ONLY full of guilty people.
May 25th, 2006 at 4:27 am
To use Joe from Australia’s analogy of the office building: If you were to find a back door of the bulding lying wide open, you probably wouldn’t go inside. If it obviously left open by mistake, and SHOULD be shut you might stick your head around the door and shout “hello”, but more likely you’ll go to the front door, and tell the receptionist, or security guard.
if it was an office, I doubt the company would accuse you of opening the door, nor of intruding thru the door, so why should a network be any different. Ability doesn’t automatically mean action.
a
May 26th, 2006 at 11:05 am
@Mulhall:
>1 The police will suspect you
>So what?
So, do you like having your finances and phone records snooped through, or having your house ransacked and your property seized, or being arrested? Law enforcement is a very, very blunt instrument, and anyone with any sense of self-preservation will fear it. I will never, ever trust the police to do the right thing if I’m the object of investigation.
>It seems to me that the problem is your lack of confidence
>in the justice system of your society
Precisely.
May 27th, 2006 at 3:32 am
This is what big, nasty, class action tort lawsuit lawyers are for.
You have to make the companies more afraid of not fixing the flaw than of the work of fixing it. You have to convince the companies that accusing the reporter is a bad idea.
The first time some company that has punished a reporter is taken down by a hacker and then bankrupted by a tort lawyer is when we will have companies thanking you for pointing out a vulnerability.
It’s not that big, nasty, class action tort lawyers are good, it’s that the alternative is worse.
May 28th, 2006 at 8:24 am
this is very dependent on the vendor hosting the website or the product found vulnerable. You can’t lump all together anymore than you can say that ALL vulnerability researchers are blackhat “crackers” looking to cash in on their findings or do nefareous activity. It might help to check on the vendor’s site to see if they have a security address, their vuln handling policy clearly posted, an address to post security information, etc. Many do actually and abide by those policies
May 29th, 2006 at 6:51 am
[...] Reporting Vulnerabilities is for the Brave Simple, clear demonstration of how arse-backwards authorities are in dealing with people who report security flaws in IT. Report a problem, and suddenly, you become top of the suspect list for any criminal access. Anyone else see the flaws in that plan? (tags: security politics) [...]
June 3rd, 2007 at 6:27 pm
[...] trick: don't; that is basically the gist of what Pascal Meunier, a professor at Perdue, has to say after his brisk run-in with the law following the time that he [...]