Responsible disclosure or concealed bug report?

(Ir)responsible disclosure

The InfoSec community is notorious for fabricating new, badly chosen, security terms. Responsible disclosure is no exception. Several definitions of responsible disclosure can be found on the Internet. In short responsible disclosures means that a person that discovers a security vulnerability responsibly discloses it to the affected organization. That person will not disclose the issue to the public until it is addressed. In return the affected organization will not press criminal charges against the discoverer. In some cases the discoverer is also rewarded (bug bounty) – with the reward varying between organizations.

Most vulnerability reports are only sent to the affected organization(s). We can't really call it disclosure in these cases; it is just submitting a bug report. That is probably also how the affected organization likes to handle the matter; fix the issue and don't inform the public. In that sense we can't even call it responsible either. If users were at risk, they aren't even informed and it is thus not possible for users to take corrective measure like changing their passwords. That is not acting responsibly, or is it?

The Good Samaritan

Let's face it; responsible disclosure serves the needs of organizations, not the needs of vulnerability reporters. If someone reports a vulnerability, the 'responsible' thing to do is to keep quiet about it - at least until it is fixed. The organization handling the report can now sit on it for a very long time without doing anything. If the discoverer discloses the vulnerability before it is fixed, he/she can be attacked for being irresponsible.

Basically, responsible disclosure puts pressure on the discoverer not the affected organization. This should be the other way around; organizations should feel pressure to resolve vulnerabilities swiftly. In that respect "coordinated disclosure" is a better term than responsible disclosure. However this term implies that the vulnerability will be disclosed to the public, which is something most organizations want to prevent as much as possible.

Vulnerability reporting pain

When a vulnerability is found, the reporter has to inform the affected organization, which in most cases is a real pain. First you need to find the correct way to report the issue. Decide whether you'd want to encrypt your report (PGP/GPG equals more pain). Hopefully the report is picked up and confirmed. The reporter now has to deal with people not understanding the issue, downplaying the issue et cetera. Finally, when the issue is acknowledged the waiting begins. In most cases you'll have to be very patient. If you are lucky, you are updated about the fix progress. In practice you'll need to keep track of the issue yourself and request status updates. When the fix is created/deployed you may or may not receive credits (and/or a bug bounty).

Given how some organizations handle vulnerability reports, responsible disclosure is not always the most responsible thing to do. Disclosing vulnerability information to the public is often a good way to force organizations to fix vulnerabilities quickly. We cannot assume that someone else did not discover the same issue. It may very well already being abused in the wild. Resolving vulnerabilities quickly helps to protect users.

Be transparent, cherish reporters

Lately, many organizations have started to adopt a responsible disclosure policy. Initiatives like Bugcrowd & HackerOne emerged to aid discoverers with reporting vulnerabilities. I think this is a good thing. At least having a single point of contact operated by skilled personnel helps to improve the process. Of course this is not a silver bullet, for some people responsible disclosure policies are an invitation to just scan websites with such a policy.

In my opinion we must stop trying to conceal security issues. It is always good to inform users. Everyone has to deal with vulnerabilities; I'd like to see more openness on this matter. Be proud on the fact that you take vulnerabilities seriously. Show the public that you are capable in squashing security bugs promptly. Inform users what actions they should take. Treat vulnerability reporters well, make sure to:

  • make reporting vulnerabilities as easy as possible;
  • acknowledge reports as soon as possible;
  • show that you take reports seriously;
  • address vulnerabilities swiftly;
  • keep reporters informed, let them know they are not forgotten.

Questions or feedback?