If a tree falls in the woods...
Posted by jericho
If a researcher discloses a vulnerability only to VDBs, and some/all of them publish the information, was the vulnerability really disclosed? Yes, of course, but should it have been? Are VDBs responsible for the information? Does it fall on us to check every thing we get and verify the vendor received it first? Snap answer is ‘yes’, but if so, is the answer the same with information published on a mail list? Snap answer is ‘no’.
This creates a situation where VDBs are held to certain standards for responsible disclosure, and are virtually forced to play middle man between the vendor and researcher. VDBs are forced to take on a role they may not have intended to, or take a hit in their reputation for being responsible with information that may put others at risk.
Late night babbling, or is that a shitty deal for VDBs?
How often does this happen? Is it that hard to ask a researcher if they have disclosed the vulnerability to the vendor? Can you not just hold it until it has been confirmed or other vdb’s publish it, assuming there are no other ethical constraints?
With OSVDB, it happens almost once a day. Many times we see the same information hit a mail list within 24 hours, but it is something else we get to track. Other times other VDBs will be CC’d on the mail to us (or we’re in the CC), and one of the others will publish the information. There are times when we reply asking if it has been disclosed, or asking for followup information, and it will take weeks to get a reply (if at all).
Part of what I was getting at, is if we wait until another VDB publishes it, our hands are clean. But shouldn’t each VDB be holding it until a vendor is informed? In an ideal world we’d all be waiting on each other and it would never get published. That in turn would likely piss off the researcher and he would quit sending the info to all of us, which in turn forces back into the role of “ethical disclosers” and adds work.
It seems to me that a VDB is free to publish any information which is sent to it if the information seems credible. It might be marked as “unconfirmed” if the vendor has not been notified and acknowledged it.
An organization like OSVDB may choose to adopt and encourage certain “responsible disclosure” guidelines, but should neither accept attempts by others to impose their idea of “responsible disclosure” on it, nor attempt to impose its own idea of “responsible disclosure” on others.
To your point, I think if OSVDB receives information that has been sent to a number of other VDBs at the same time, it seems clear that the sender intended for the information to be published, and it should be. If it is not clear that the vendor has been notified, it might be prudent to first notify the vendor (bcc the submitter) and offer to hold off publication for a short period, such as 24-48 hours, but no longer. If there’s no response, or an unreasonable response, go ahead and publish.
If the info is in the hands of other VDBs, you have to assume that it is spreading far and wide, such as to their “paying” early warning subscribers, and it would be irresponsible not to put the same information in the hands of the public.
On the other hand, if OSVDB receives information that has NOT been sent to others, it’s possible the submitter is seeking assistance in notifying the vendor or coordinating an investigation and disclosure, or is unfamiliar with “the way things are usually done”. In that case, the submitter’s intent should be clarified if possible, and if OSVDB chooses to take on the role of coordinator, it should do so, otherwise refer to submitter to CERT/CC.