Responsible Disclosure: Contingency Plan Needed
Mark Joseph Edwards considers whether a company should remain silent about security vulnerabilities in its product when someone has already informed the public about an exposure.
April 9, 2002
How should vendors react when vulnerabilities are made public?
More than 3 weeks ago, Radim Picha discovered a serious security vulnerability in Windows 2000 and Windows NT systems. The vulnerability lets users gain system-level access, even with the Guest account. To date, Microsoft hasn't alerted its customers about the exposure—as you'll read in the related news story "Dangerous Hole in Windows 2000 and Windows NT Grants Users Full Control" in this issue of Security UPDATE.
When I contacted Microsoft to ask why the company hasn't alerted its customers, a spokesperson informed me that the company is working on the problem but doesn't yet have a fix. Microsoft also said that although Picha alerted the company to the problem, he waited only 2 days before posting his discovery—complete with source code that demonstrates the problem—to a public mailing list. I agree that 2 days isn't a lot of time for a company as large as Microsoft to produce a hotfix, especially given the nature of the vulnerability. But this security exposure and Microsoft's response to it does, in fact, raise some important questions.
As you know, in December 2001, we reported Microsoft's launch of a new Gold Certified Partner Program for Security Solutions, which, among other things, requires that program participants report security problems to Microsoft and not alert the public until Microsoft has a fix available. In November 2001, we reported that Microsoft and five other companies (Guardent, Foundstone, BindView, @stake, and Internet Security Systems—ISS). had teamed to draft a proposal that the companies hope will become an industry standard for handling security vulnerabilities—but only after the Internet Engineering Task Force (IETF) has reviewed the draft. That draft is now available on the IETF Web site However, noticeably missing from both Microsoft's new program and the draft proposal to the IETF are contingency plans for those instances in which someone reports a security vulnerability to the public before a fix is available.
Should a company remain silent about security vulnerabilities when someone has already informed the public about an exposure? Should a company remain silent when someone offers source code that demonstrates the exposure? Shouldn't a company at least issue a bulletin telling customers what the basic exposure is, how the company plans to address it, and, most importantly, when the company estimates that it can make a fix available?
Let's face it: IETF standards can't be legally enforced, and Microsoft's Gold Certified Partner Program requirements can't be enforced beyond the program's membership. The bottom line is that although Picha's posting full details about the security vulnerability might have been hasty, Microsoft's silence is also questionable.
Microsoft should reconsider its practice of remaining silent until a fix is available. The company needs to make public a contingency plan for how it will react under circumstances such as these—in which vulnerabilities are exposed before a fix is available. Unfortunately, Microsoft's silence does say a lot. I think Microsoft customers would like to be assured that the company's security technicians aren't sitting around having coffee and donuts while intruders look for ways to reshape any available demonstration code into nasty exploits against Microsoft customers. I also think that those who shape the impending IETF Request for Comments (RFC) should include contingency plans in the RFC that specifically state how all vendors should react when those who discover exploits ignore the guidelines. Go to the IETF Web site, click the overview, and read "The Tao of the IETF" to learn how you can take part in shaping the RFC.
About the Author
You May Also Like