The Responsible Disclosure of Software Vulnerabilities in the Nutshell
Computer security vulnerabilities are a threat that has spawned a booming industry, between the heightened global focus on security, and the proliferation of high-profile computer viruses and worms that have had major impacts worldwide, the time is right to be in the computer security business. When one thinks about who benefits from security problems, typically the first thought would be that attackers are the primary beneficiary, breaking into vulnerable computer systems and stealing money and valuable information from victims can be an easy and profitable line of work.
However, there is another side to this burgeoning industry: the community of security professionals who build a reputation and earn a living finding and reporting security problems. While attackers stand to gain substantially from illegal activity, working as a computer security professional can be quite lucrative, with the benefit of not having to break the law or compromise one’s ethics and quite often, the technical details and challenges of this legitimate work are not much different from those when the work is done for fewer legitimate purposes.
Researchers are motivated to disclose vulnerabilities because they feel that such disclosure will force vendors to be responsive in patching software and to place a greater emphasis on shipping more secure software. Finally, some researchers enjoy the intellectual challenge of finding vulnerabilities in software, and in turn, relish disclosing their findings for personal gratification or credibility from others in the field.
There are several methods of classifying exploits. Exploits can be classified by the type of vulnerability they attack. For example, buffer overflow, integer overflow, memory corruption, format string attacks, race condition, cross-site scripting, cross-site request forgery, and SQL injections. Today, buffer overflow related exploits remain to be the majority type. Exploits can also be classified by how the exploit contacts the vulnerable software. A remote exploit works over a network and exploits the security vulnerability. A local exploit requires prior access to the vulnerable system and usually increases the privileges of the person running the exploit. Due to the popularity of the Internet, network-borne computer viruses and worms are the main forms of exploitation.
The black hat hacker community is known for practicing a policy of non-disclosure. What makes cases of non-disclosure difficult to quantify are the paradox that there is no good way to measure how many flaws have been found, but not disclosed. The motivations for non-disclosure can vary from malicious intent to laziness.
Arguments against the full disclosure method tend to parallel the arguments for full disclosure. The most salient argument made against full disclosure is that exposing a vulnerability without first consulting with a software vendor increases the risk of widespread exploitation of user computer systems, for example, many point out that within days, or even hours, following full disclosure of a vulnerability, a scripted exploit becomes available for script kiddies to consume. This runs contrary to the argument that full disclosure protects users, because, in reality, even with a heightened focus on security and automatic system updates, users are not security experts and do not follow the multitudes of security bulletins and reports that are generated on a daily basis. It is therefore important for the whole industry to recognize the unsung heroes we have today, the lowly ethical hackers that are helping discover the undiscovered exploits in the wild.