Professional Documents
Culture Documents
Vulnerability Reporting
Scott Blake
Director of Security Strategy
BindView Corporation/RAZOR Research
Agenda
• Introduction
– What is Politics?
• The Past and Present
– Ideologies, Actors, and Initiatives
• The Future
– Trends and Probabilites
• Full disclosure
• Zero disclosure
• Responsible Disclosure
• Tenets
– Information wants to be free
– Use the power of public opinion to make
vendors improve code
– Exploit code is more useful than destructive
• Adherents
– Most non-profit researchers
– Very few commercial researchers
• Tenets
– Responsibility for fixing vulnerabilities lies with
software vendor
– Authors of software should control information
relating to that software
– There is no public good in broad availability of
vulnerability information
• Adherents
– Many software vendors
– Many government actors
– Much of the Public
• Tenets
– Exploit code causes more problems than it solves
– Broad dissemination of vulnerability information is
required to improve security awareness
– Use the power of public opinion to make vendors
improve code
• Adherents
– Most commercial researchers
– Some notable software vendors
• Vendors
• Researchers
• Governments
• Media
• The Public
• Motivators
– Shareholder value
• Financing
– Software Sales
• Interests
– Limit damage to brand value
– Limit vulnerability of customers
– Sell more software
• Power Relations
– Often try to prevent public disclosure of vulnerability
information through legal action, market leverage,
lobbying
November 10, 2009
Researchers
• Motivators
– Advance state of the art
– Build more security
– Build name recognition/peer respect
• Financing
– Day Job
– Customers (Grant, Contract)
– Software sales
• Interests
– Continue financing source
– Maintain/extend reputation
• Power Relations
– Hobbyists are largely free from external influence
providing the day job does not interfere
– Academic and consultative researchers are largely
beholden to their funding source, but different
funders set different restrictions
– Commercially-sponsored researchers are beholden
to the parent company’s interests
• Motivators
– Technocratic perception of public good
• Financing
– Taxes
– Campaign Contributions
• Interests
– Economic growth
– Public Safety
• Power Relations
– Prosecution of criminal or negligent behavior
– Large purchaser of information technology
November 10, 2009
The Media
• Motivators
– “All the news that’s fit to print”
• Financing
– Advertisements
– Subscribers
• Interests
– More readers
• Power Relations
– Very powerful creators of brand, image
– Influencers of public perception
• Motivators
– Too chaotic to be relevant
• Financing
– Too chaotic to be relevant
• Interests
– Stable, secure software
• Power Relations
– Wields tremendous power, but very difficult
to direct in any specific direction
• Intended Outcomes
– Harmonize and update European computer
crime laws
• Unintended Outcomes
– Potential for mis-implementation of tools
provisions may have chilling effect on
research
– Language pertaining to intent may lead to
certification requirements for security
practitioners
• Intended Outcomes
– Adds cybercrime to list of terrorist acts
– Strengthens provisions against aiding and
abetting terrorists
• Unintended Outcomes
– Since hackers are now terrorists, is
publishing vulnerability information aiding
and abetting?
• Intended Outcomes
– Get information to those who need it
• Unintended Outcomes
– Puts information in the hands of the “bad
guys”
• Intended Outcomes
– Limit availability of information to “bad
guys”
• Unintended Outcomes
– Limit availability of information to everyone
• Increasing legislation
• Improving communication channels
• More and more research being done
• More vicious attacks
• Continuing penetration of Internet
access