Coordinated vulnerability disclosure

Last updated

In computer security, coordinated vulnerability disclosure (CVD, formerly known as responsible disclosure) [1] is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. [2] This coordination distinguishes the CVD model from the "full disclosure" model.

Contents

Developers of hardware and software often require time and resources to repair their mistakes. Often, it is ethical hackers who find these vulnerabilities. [1] Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities. Hiding problems could cause a feeling of false security. To avoid this, the involved parties coordinate and negotiate a reasonable period of time for repairing the vulnerability. Depending on the potential impact of the vulnerability, the expected time needed for an emergency fix or workaround to be developed and applied and other factors, this period may vary between a few days and several months.

Coordinated vulnerability disclosure may fail to satisfy security researchers who expect to be financially compensated. At the same time, reporting vulnerabilities with the expectation of compensation is viewed by some as extortion. [3] [4] While a market for vulnerabilities has developed, vulnerability commercialization (or "bug bounties") remains a hotly debated topic. Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and TippingPoint, with their zero-day initiative (ZDI) started in 2005. These organizations follow the coordinated vulnerability disclosure process with the material bought. Between March 2003 and December 2007 an average 7.5% of the vulnerabilities affecting Microsoft and Apple were processed by either VCP or ZDI. [5] Independent firms financially supporting coordinated vulnerability disclosure by paying bug bounties include Facebook, Google, and Barracuda Networks. [6]

Disclosure policies

Google Project Zero has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. [7]

ZDI has a 120-day disclosure deadline which starts after receiving a response from the vendor. [8]

Examples

Selected security vulnerabilities resolved by applying coordinated disclosure:

See also

Related Research Articles

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

A zero-day is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.

<span class="mw-page-title-main">Dan Kaminsky</span> American computer security researcher (1979–2021)

Daniel Kaminsky was an American computer security researcher. He was a co-founder and chief scientist of Human Security, a computer security company. He previously worked for Cisco, Avaya, and IOActive, where he was the director of penetration testing. The New York Times labeled Kaminsky an "Internet security savior" and "a digital Paul Revere".

Massachusetts Bay Transportation Authority v. Anderson, et al., Civil Action No. 08-11364, was a challenge brought by the Massachusetts Bay Transportation Authority (MBTA) to prevent three Massachusetts Institute of Technology (MIT) students from publicly presenting a security vulnerability they discovered in the MBTA's CharlieCard automated fare collection system. The case concerns the extent to which the disclosure of a computer security flaw is a form of free speech protected by the First Amendment to the United States Constitution.

<span class="mw-page-title-main">Pwnie Awards</span> Information security awards

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in March 2023. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

<span class="mw-page-title-main">ImmuniWeb</span>

ImmuniWeb is a global application security company headquartered in Geneva, Switzerland. ImmuniWeb develops Machine Learning and AI technologies for SaaS-based application security solutions provided via its proprietary ImmuniWeb AI Platform.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

HackerOne is a company specializing in cybersecurity, specifically attack resistance management, which blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the digital attack surface. It was one of the first companies to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; pioneering bug bounty and coordinated vulnerability disclosure. As of December 2022, HackerOne's network had paid over $230 million in bounties. HackerOne's customers include The U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

<span class="mw-page-title-main">Katie Moussouris</span> American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

Alisa Shevchenko, professionally known as Alisa Esage, is a Russian-born computer security researcher, entrepreneur and hacker with Ukrainian roots. She is known for working independently with dominant software corporations such as Google and Microsoft to find and exploit security weaknesses in their products; being the first female participant in Pwn2Own, the world's premiere professional hacking competition with significant cash prizes; and being accused by the government of the United States of hacking the presidential elections in 2016.

<span class="mw-page-title-main">Rafay Baloch</span> Pakistani ethical hacker

Rafay Baloch is a Pakistani ethical hacker and security researcher known for his discovery of vulnerabilities on the Android operating system. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, and The Express Tribune. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award.

In digital computing, hardware security bugs are hardware bugs or flaws that create vulnerabilities affecting computer central processing units (CPUs), or other devices which incorporate programmable processors or logic and have direct memory access, which allow data to be read by a rogue process when such reading is not authorized. Such vulnerabilities are considered "catastrophic" by security analysts.

<span class="mw-page-title-main">Microarchitectural Data Sampling</span> CPU vulnerabilities

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

Sam Curry is an American ethical hacker, bug bounty hunter, and founder. He is best known for his contributions to web application security through participation in bug bounty programs, most notably finding critical vulnerabilities in 20 different auto manufacturers including Porsche, Mercedes-Benz, Ferrari, and Toyota. In 2018, Curry began working as a security consultant through his company Palisade where he disclosed vulnerability publications for security findings in Apple, Starbucks, Jira, and Tesla.

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015.

References

  1. 1 2 Ding, Aaron Yi; De jesus, Gianluca Limon; Janssen, Marijn (2019). "Ethical hacking for boosting IoT vulnerability management". Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing. Ictrs '19. Rhodes, Greece: ACM Press. pp. 49–55. arXiv: 1909.11166 . doi:10.1145/3357767.3357774. ISBN   978-1-4503-7669-3. S2CID   202676146.
  2. Weulen Kranenbarg, Marleen; Holt, Thomas J.; van der Ham, Jeroen (2018-11-19). "Don't shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure" (PDF). Crime Science. 7 (1): 16. doi: 10.1186/s40163-018-0090-8 . ISSN   2193-7680. S2CID   54080134.
  3. Kuhn, John (27 May 2016). "Bug Poaching: A New Extortion Tactic Targeting Enterprises". Security Intelligence. Retrieved 23 January 2022.
  4. Rashid, Fahmida (9 September 2015). "Extortion or fair trade? The value of bug bounties". InfoWorld. Retrieved 23 January 2022.
  5. Stefan Frei, Dominik Schatzmann, Bernhard Plattner, Brian Trammel (2008). "Modelling the Security Ecosystem - The Dynamics of (In)Security".{{cite web}}: CS1 maint: multiple names: authors list (link)
  6. "Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations" . Retrieved 2023-08-21.
  7. "Feedback and data-driven updates to Google's disclosure policy". Project Zero. 2015-02-13. Retrieved 2018-11-17.
  8. "Disclosure Policy". www.zerodayinitiative.com. Retrieved 2018-11-17.
  9. "MD5 collision attack that shows how to create false CA certificates".
  10. Goodin, Dan (2015-05-24). "Researcher who exploits bug in Starbucks gift cards gets rebuke, not love". Ars Technica. Retrieved 2023-05-16.
  11. "Dan Kaminsky discovery of DNS cache poisoning" (PDF).
  12. "MIT students find vulnerability in the Massachusetts subway security". Archived from the original on 2016-03-18. Retrieved 2009-04-29.
  13. "Researchers break the security of the MIFARE Classic cards" (PDF). Archived from the original (PDF) on 2021-03-18. Retrieved 2009-04-29.
  14. 1 2 "Project Zero: Reading privileged memory with a side-channel". 3 January 2018.
  15. The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli, Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas, November 2017
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.