Disclosure or Blatant Advertising?
Posted by jericho
Security advisories are a form of advertising. First and foremost, they are used to promote the technical capability of a security company and showcase the talent. If a researcher or company was completely altruistic, they would not release an advisory and would not care about credit if the vendor released an advisory. Releasing vulnerability information has been used as a form of marketing for over a decade, and it works for everyone. The company releasing the information gets free press, the security community gets vulnerability information in return. In recent years, many companies have relied on it for getting started and attracting their initial customer base.
With the full vs responsible disclosure debate a constant shroud hanging over security companies, they must be careful not to scare away potential customers by giving the impression that they don’t care about security or the repercussions of their disclosure. As such, many companies have taken a very strong stance on responsible disclosure, some arguably taking it too far.
One example of this strong stance is NGSSoftware who began witholding details of vulnerabilities for 90 days, in order for administrators to have plenty of time to patch the vulnerability. This is a good thing overall, and NGSS has set a good example showing that security companies can help the community while protecting them just the same. Of course, NGSS should make sure to release those details after 90 days, something they don’t always do in a timely fashion. An example of NGSS’ policy can be seen in their recent post to Full-Disclosure as well as their immediate followup. While vague, it does tell us that multiple vulnerabilities were found, what software they were found in, and what types of vulnerabilities they are. These correspond to information provided in the Oracle security bulletin and serve as a warning to the severity/importance of the vendor patch.
A few weeks ago, Integrigy Corporation took it too far in my opinion. In a posting to Full-Disclosure titled Vulnerabilities in Oracle E-Business Suite 11i - Critical Patch Update October 2005, they provided a four page summary of .. no vulnerability disclosure. The bulk of the post was to point out they had released analysis of the Oracle patches and what it could mean for customers. While this information is helpful, it is NOT disclosing a vulnerability in any fashion. The only thing resembling disclosure was the ‘credit’ section which states:
Some of the vulnerabilities fixed in the Critical Patch Update October 2005 were discovered and reported to Oracle by Stephen Kost of Integrigy Corporation.
This isn’t disclosing a vulnerability, and should not be posted to a list centered around full disclosure. The company name “Integrigy” appears 14 times in the post, and their company URL 3 times. They mention their products AppSentry and AppDefend a total of four times.
Argue all you want, but this is blatant advertisement, not a security advisory.
Jericho, you clearly have not checked NGSS’s history this year. There are 13 advisories outstanding this year, and 11 more from 2004, for which there has been NO further disclosure. This is exactly your scenario of advisories as marketing. Their advisories provide no benefit to the community, and only serve to brag that they discovered a bunch of flaws that we don’t get to know about. They are happy to sell you a software product (NGSSquirrel) which detects them, though.
I clearly need to dig into their past advisories vs full disclosure then =) I was under the impression that they did routinely release details, just not always at the 90 day point. I can say that in the past, when asking very basic questions about their advisories trying to determine if their discovery was the same vulnerability as another that was fully disclosed about the same time, they did not answer.
I emailed them about it once, and got a very nice reply that said they were awfully busy, and would do their best to release the promised information. They are well within their rights to never release it, of course, but they need to stop claiming that they have some “responsible disclosure” policy. It’s really a zero disclosure + marketing blurb for NGSSquirrel whenever they release advisories now.