Wednesday, January 24, 2007

Vendor acknowledgement policies

In a recent post on the Matasano blog, Dave G. asks whether acknowledging MOAB in their latest QuickTime security update was a wise decision on Appleā€™s part. I believe that it was, and I recommend that other vendors follow this practice as well.

Microsoft has a stated policy against acknowledging the work of researchers that do not follow their "responsible" disclosure guidelines. This policy has been successful in encouraging the security industry to play by Microsoft's rules, but their definition of "responsible disclosure" is still far from universally accepted. A quick look at milw0rm or bugtraq shows there are many independent researchers who disclose vulnerabilities and publish exploits with no regard for any policies other than full disclosure.

What is the best way for a vendor to handle a publicly disclosed vulnerability? Releasing a workaround or a patch should have the highest priority, but the vendor's responsibilities do not end there. Many advisories are needlessly vague in describing the vulnerabilities, even though the vendor admits that the information is already public. This makes it harder for security teams to evaluate both patched and unpatched bugs and to realistically assess their exposure.

If you don't believe me, take the following challenge:
Without installing any security updates or running any PoC code, find out which of the MoBB vulnerabilities have been patched, and list the corresponding Microsoft security bulletins.
The vendors are in the best position to provide this information. It is not as important that they they credit the researchers, but they need to provide links to all publicly available information about all vulnerabilities addressed in each patch. This is exactly what Apple did by acknowledging MOAB in their latest QuickTime security update, and I commend them for it.

Labels: , , ,


Post a Comment

<< back