Reporting Vulnerabilities is for the Brave


I was involved in disclosing a vulnerability found by a student to a production web site using custom software (i.e., we didn’t have access to the source code or configuration information).  As luck would have it, the web site got hacked.  I had to talk to a detective in the resulting police investigation.  Nothing bad happened to me, but it could have, for two reasons. 

The first reason is that whenever you do something “unnecessary”, such as reporting a vulnerability, police wonder why, and how you found out.  Police also wonders if you found one vulnerability, could you have found more and not reported them?  Who did you disclose that information to?  Did you get into the web site, and do anything there that you shouldn’t have?  It’s normal for the police to think that way.  They have to.  Unfortunately, it makes it very uninteresting to report any problems.

A typical difficulty encountered by vulnerability researchers is that administrators or programmers often deny that a problem is exploitable or is of any consequence, and request a proof.  This got Eric McCarty in trouble—the proof is automatically a proof that you breached the law, and can be used to prosecute you!  Thankfully, the administrators of the web site believed our report without trapping us by requesting a proof in the form of an exploit and fixed it in record time.  We could have been in trouble if we had believed that a request for a proof was an authorization to perform penetration testing.  I believe that I would have requested a signed authorization before doing it, but it is easy to imagine a well-meaning student being not as cautious (or I could have forgotten to request the written authorization, or they could have refused to provide it…).  Because the vulnerability was fixed in record time, it also protected us from being accused of the subsequent break-in, which happened after the vulnerability was fixed, and therefore had to use some other means.  If there had been an overlap in time, we could have become suspects.

The second reason that bad things could have happened to me is that I’m stubborn and believe that in a university setting, it should be acceptable for students who stumble across a problem to report vulnerabilities anonymously through an approved person (e.g., a staff member or faculty) and mechanism.  Why anonymously?  Because student vulnerability reporters are akin to whistleblowers.  They are quite vulnerable to retaliation from the administrators of web sites (especially if it’s a faculty web site that is used for grading).  In addition, student vulnerability reporters need to be protected from the previously described situation, where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem.  Unlike security professionals, they do not understand the risks they take by reporting vulnerabilities (several security professionals don’t yet either).  They may try to confirm that a web site is actually vulnerable by creating an exploit, without ill intentions.  Students can be guided to avoid those mistakes by having a resource person to help them report vulnerabilities. 

So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited.  I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student.  My superiors also requested that I cooperate with the detective.  Was this worth losing my job?  Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized?  Thankfully, the student bravely decided to step forward and defused the situation. 

As a consequence of that experience, I intend to provide the following instructions to students (until something changes):

  1. If you find strange behaviors that may indicate that a web site is vulnerable, don’t try to confirm if it’s actually vulnerable.
  2. Try to avoid using that system as much as is reasonable.
  3. Don’t tell anyone (including me), don’t try to impress anyone, don’t brag that you’re smart because you found an issue, and don’t make innuendos.  However much I wish I could, I can’t keep your anonymity and protect you from police questioning (where you may incriminate yourself), a police investigation gone awry and miscarriages of justice.  We all want to do the right thing, and help people we perceive as in danger.  However, you shouldn’t help when it puts you at the same or greater risk.  The risk of being accused of felonies and having to defend yourself in court (as if you had the money to hire a lawyer—you’re a student!) is just too high.  Moreover, this is a web site, an application;  real people are not in physical danger.  Forget about it.
  4. Delete any evidence that you knew about this problem.  You are not responsible for that web site, it’s not your problem—you have no reason to keep any such evidence.  Go on with your life.
  5. If you decide to report it against my advice, don’t tell or ask me anything about it.  I’ve exhausted my limited pool of bravery—as other people would put it, I’ve experienced a chilling effect.  Despite the possible benefits to the university and society at large, I’m intimidated by the possible consequences to my career, bank account and sanity.  I agree with HD Moore, as far as production web sites are concerned: “There is no way to report a vulnerability safely”.

Edit (5/24/06): Most of the comments below are interesting, and I’m glad you took the time to respond.  After an email exchange with CERT/CC, I believe that they can genuinely help by shielding you from having to answer questions from and directly deal with law enforcement, as well as from the pressures of an employer.  There is a limit to the protection that they can provide, and past that limit you may be in trouble, but it is a valuable service. 


Posted by PeterP
on Wednesday, May 24, 2006 at 10:34 PM

@Mulhall: You obviously think that the prisons are ONLY full of guilty people.

Posted by Andrew
on Wednesday, May 24, 2006 at 11:27 PM

To use Joe from Australia’s analogy of the office building:  If you were to find a back door of the bulding lying wide open, you probably wouldn’t go inside.  If it obviously left open by mistake, and SHOULD be shut you might stick your head around the door and shout “hello”, but more likely you’ll go to the front door, and tell the receptionist, or security guard.

if it was an office, I doubt the company would accuse you of opening the door, nor of intruding thru the door, so why should a network be any different.  Ability doesn’t automatically mean action.


Posted by ++Don
on Friday, May 26, 2006 at 06:05 AM

>1 The police will suspect you
>So what?

So, do you like having your finances and phone records snooped through, or having your house ransacked and your property seized, or being arrested?  Law enforcement is a very, very blunt instrument, and anyone with any sense of self-preservation will fear it.  I will never, ever trust the police to do the right thing if I’m the object of investigation.

>It seems to me that the problem is your lack of confidence
>in the justice system of your society


Posted by wkwillis
on Friday, May 26, 2006 at 10:32 PM

This is what big, nasty, class action tort lawsuit lawyers are for.
You have to make the companies more afraid of not fixing the flaw than of the work of fixing it. You have to convince the companies that accusing the reporter is a bad idea.
The first time some company that has punished a reporter is taken down by a hacker and then bankrupted by a tort lawyer is when we will have companies thanking you for pointing out a vulnerability.
It’s not that big, nasty, class action tort lawyers are good, it’s that the alternative is worse.

Posted by M1kael
on Sunday, May 28, 2006 at 03:24 AM

this is very dependent on the vendor hosting the website or the product found vulnerable.  You can’t lump all together anymore than you can say that ALL vulnerability researchers are blackhat “crackers” looking to cash in on their findings or do nefareous activity.  It might help to check on the vendor’s site to see if they have a security address, their vuln handling policy clearly posted, an address to post security information, etc. Many do actually and abide by those policies

Posted by Digitalia » Links For Tuesday 23rd May 2006
on Monday, May 29, 2006 at 01:51 AM

[...] Reporting Vulnerabilities is for the Brave Simple, clear demonstration of how arse-backwards authorities are in dealing with people who report security flaws in IT. Report a problem, and suddenly, you become top of the suspect list for any criminal access. Anyone else see the flaws in that plan? (tags: security politics) [...]

Posted by Brave Professor Teaches New Vulnerability Reportin
on Sunday, June 3, 2007 at 01:27 PM

[...] trick: don't; that is basically the gist of what Pascal Meunier, a professor at Perdue, has to say after his brisk run-in with the law following the time that he [...]

Leave a comment

Commenting is not available in this section entry.