Vulnerability Disclosure Evolves
Jeremiah recently posted about the Microsoft Security Response Center inviting security researchers to disclose vulnerabilities discovered in a Microsoft “online web property,” which is to say, anything in the microsoft.com domain (or msn.com, live.com, etc.). Immediately, people started trying to profit from the idea, suggesting that Microsoft agree in advance to a “reward system” whereby they would pay cash for vulnerabilities. While this would be inexpensive for Microsoft, relative to their security budget, it would completely contradict the notion of responsible disclosure. If Microsoft chose to reward someone for reporting a vulnerability that they considered significant, that would be a nice gesture, but to expect them to pay up every time basically amounts to extortion. In other words, if you won’t pay me for this information, I’ll find someone who will.
RSnake has the right idea:
I, for one, embrace working with big companies, and reserve full-disclosure to making a point or when all else fails. If a company is open and willing to work with us, I think we should take them up on that offer if it’s as simple as MS has made it for us.
There are some grey areas to the legality of hunting for vulnerabilities in web sites, which Chris Wysopal alluded to a couple months ago. While Microsoft isn’t exactly saying it’s OK to attack their web apps with impunity, they are implying that anyone who does find and report vulnerabilities won’t have to worry about legal action. But those seeking bounties probably won’t agree, as evidenced by this post:
If you think of security researchers as external independent R&D labs who can sell their findings to the highest bidder, its just a manifestation of that economy.
And this, which smacks of extortion:
Hence, until we are rewarded for reporting vulnerabilities, users of sites such as myspace, google, ebay, paypal, yahoo, msn, facebook and pretty much any other highly frequented site should consider themselves and any data they choose to place on this sites free game and in the public arena.
These posters either don’t realize or are conveniently ignoring the fact that it is illegal to stage unauthorized attacks against these websites to begin with. There are a lot of shady underground economies, but that doesn’t necessarily make them legal or ethical.
Other companies should follow Microsoft’s lead in pledging to work with individuals who report vulnerabilities in web applications. This is a definite step forward for vulnerability disclosure, though it may take a few iterations to get it just right.