Stats: Disclosing Vulnerabilities Responsibility? Researcher or Manufacturer

JH
John Honovich
Published Mar 30, 2018 12:38 PM

Getting prompt and appropriate information on vulnerabilities is important for integrators and end users to ensure that their systems are best protected and updated against exploits.

But who should disclose this? Cybersecurity researcher, Bashis, who has found vulnerabilities in numerous video surveillance products, recently asked this. We gathered 150+ integrator responses to see what they believe is the right answer.

A clear theme emerged: Integrators overwhelmingly believe manufacturers are responsible for announcing but almost equally are worried that manufacturers will avoid that responsibility. 

Inside we examine the results and share detailed integrator feedback.

Exec ******* - *****

*********** **** ******* ***** ******* ************* disclosing, *********** ********** *** '****' **********:

Hiding ** *************

**** *********** ********* ******** **** ************* are ********* ** **** ** ******* ************* disclosures: 

  • "** ***** ** **** ** *** manufacturers ***, *** **** ***** **** sugar **** *** ***** ** ******** their ********* *********."
  • "*** ****** **** ******* ** ** just *** ************ ** **** **** almost ********* ***** ************ ***** **** can **** ** ** ***** ******."
  • "***** ************* *** ********, **** ** not ******* **** ******* *** *** need ** **** ** *********."
  • "************* ****** ** ******* ** ***** disclose ******* ******** **** *** ********** going ******. ******** ** *** **** sanitizer."
  • "***** ** ******* **** *********** **** an **********'* ********** **** * **** an ***** ** * ******** ****** up ** ***** ****** * **** it **** *** ************. **** **** you **** ** *** ************ **** are ***** *** **** ** ** not ****** *** *** **** ** addressed ** *** **** ********."
  • "************** ***** ** ** *** ************, but ** ******* **** ***** **** it ** ***** ***** ***** ****** by ****** *** ** *** ******** impact **** *************** *** ** *** rest ** *** ******."
  • "* ******'* ***** *** ************* ** be *********** ***** *************** ********** ***** their ********."
  • "************* ***'* ** ****** **** ******* researchers ******* **** ** *****"

Researchers ********, ** ************ ** ***

******* ** *** ******* ** ************'* hiding, *** **** ****** ********** ******** was **** *** ********** ****** ******** it ** *** ************ ******* ** do **:

  • "*** ************ ****** *** ************ ***** to ******** **, **** *** ********** who ***** **!"
  • "** *** ************ *****'* ******* *** deal **** *** ***** **** *** researcher ****** **** ******* **** ***** own *****."
  • "************ ****** ** **, *** ** they *** “********* **********” **** ** falls ** *** ********** ** **** the ************ ** *** ******."
  • "** *** ************ **** *** ******** after ** *** **** *****, **** *** researcher ****** ***** * ************ ** informed *** ***** * ***** ****** of **** **** *** ********."
  • "*** **** ** ** *** ************, however, ** ** **** ***** **** they ***'* ****** ******** *** ************* until **** **** ******* **. ********* it **** **** **** ** *** researcher ** ****** **** ****** ******* it ** * ***** **** **** for ***** ** **** ** ****."
  • "*** ****** *** ***** ** ****** contact *** ***** ** *** ******* and (********* ** *** ****** ** the *************) **** **** ** *********** time ** ******* *** *******, **** if ** ****** *****, *** ****** who ***** ** ****** **** ******."
  • "** * ******* *****: *** ************. However *** *** * ******* *****, If * ************* ** ********** *** the ************ **** *** ***** *** or *** ** **** ** *-* months *** ********** *** ***** ** should ******** **."
  • "** ****** ** *** ************* ********** to ****** ***** ******* *** *** industry ** * ****** ******. ** that ************ ** *** ****, **** I ******* **** *** ********** *** an ************** ** ******* ***** ******** and **** **** ***** ** *** public."
  • "*** ************ *** * ************** ** their *********** ** ******** ************** **** may ****** ***** ****** ********. ** they ** *** ******* ** ** issue, ** ****** ** **** ******."
  • "*** *** ****** **** ** ******** the *********** ** ******* *** ***** and ************ ** *** **** ****. If *** ****** *** *** ***** place, *** ********** ****** ******** *** finding."
  • "********** ****** ****** *** ************ *** if ************ **** *** **** ** right ** ****** *** ***** *********** then ********** **** ** *** **** so ****** **** *****."
  • "** *** ************ ******* **** *** make *** ******* ****** *** ******* to ******* ** *****'* *****, **** it ** ********* ********** *** *** researcher ** ***** ***** **** ************** they **** ***** *** *****, ******** disregard *** *** *********, ** *** otherwise **** ***** ** *** *********** that **** **** *** ********* **** responsibility/effort *** ***** ******."

Both ********

**** *********** ********* **** '****' ** 'all' ****** ******** *** ******** ** maximize *** *********** **** ***** ****** are ***** *** ** *********** *** users:

  • "****** ****, ** **** *** ******** vendor **** ****** **** * ***** channel *** ******** *** ******** ****** quickly *** ******."
  • "****. ** ********* ***** **** ** find *** ********** **** **** *****"
  • "****. ****** ************* ** ********** ********* the *************, *** *** ************ ******** how ** ******* ***** *******."
  • "**** *** *********** *******. ** *** know ** * *************** ** * product ** ***** ** ** *** best ******** ** ********* *** *** the ******* ** ** **** ***** immediately ** *****-******** ******. ********** ****** inform *** ************ *** ** ************ does *** **** ** ***** ** fixing *** ***** *********** **** ********** need ** *** **** ** ****** area *****."
  • "****. *** *********** ****** ******* *** manufacturer **** * **** **** ****** them **** ** *** *** ************* but **** ******** *** ******** **** to ****** **. **** *** ********** will *** ** ********, *** *********** will ****."
  • "* ***** ****. *** ********** ****** release ** ** *** ****** *** the ************ *** *** ****** ************** of ********** ***** ******* *************** *** helping ** *** *** ******."
  • "****. *** *** ********** ****** ** primary, ** *** ************'* ******** ******** of ******** ***** **** ****** ** selective (** ***) **********."
  • "****. ** ***** ** * ****** industry. ************* ***'* ** ****** **** without *********** ******* **** ** *****, and ***** ********** **** ********** * vulnerability ** **** * **** *** themselves."

Burden *** ***********

***** ** ** ************** *** *********** would **** *********** ** ******** / disclose, **** *********** *** *********** ** cybersecurity, *** ********* ** ****** *********. Also, **** *** ***** **** *** no ************, ** ** *** ** costly *** **** ********* *** **** to ********** **** ***********.

Marketing ******** *** ************* *********

** *** ***** ****, ************* ********* are ******** **** *********** *** ** great ********* *** **** (*.*., *****'* *** ** ******** ********** ************ Cybersecurity****** / ********* ************* *******). **** **** ********** ************* ** campaigns ***** **** ********** ****** *** work **** ******* **** ****** ***** outfits ** *** ***** ********* ******** articles. **** *** ** ****** ** both *** ************* *** **** *** vulnerabilities *** * ******* *** *********** who **** **** ** **** **** the ************ ** *** *********** ****** in *** ** ********.

Challenging ********* *** ***

**********, *** ********* ** * *********** one **** (*) **** ************* ********* to ******* ** **** ********, (*) researchers ******** ** ****** ****** ********* *** (3) ************* ********* ******* *** *************** to ****** ***** *** *********.

Comments (11)
Avatar
Jonathan Lewit
Mar 30, 2018

Another complication is the security through obscurity position. Just because a risk was found, doesn't necessarily mean anyone was exploiting it. What happens when the risk is identified before proper remedies can be put in place? Is that creating more risk by telgraphing weaknesses that otherwise may have gone unnoticed?

Coming from the manufacture side, I am a big advocate of the manufacturer stepping up and taking the lead. The critical need is to build trust with business partners and customers. Cyber security is a complex issue that requires all parties to work together. If anyone doubts the positive intentions of the other, the system breaks down pretty quickly.

(1)
bm
bashis mcw
Mar 30, 2018
In reply to Jonathan Lewit

security through obscurity position

Never been a good idea, and will never be either.

Just because a risk was found, doesn't necessarily mean anyone was exploiting it. What happens when the risk is identified before proper remedies can be put in place? Is that creating more risk by telgraphing weaknesses that otherwise may have gone unnoticed?

I can't be sure, but my guess is it has already been exploited in one way or another.

What I am saying (with very few exceptions) for the things I have found while researching (and still do), has been known for years of some people/organisations and even manufacture itself, I am not so naive that I think I'm the first one who find +5 or even +10 years backdoor and/or vulnerabilities.

I may be the first one who publicly disclose, but that is different thing.

 

(2)
(1)
Avatar
Jonathan Lewit
Mar 30, 2018
In reply to bashis mcw

I fully agree with the distaste for security through obscurity.  Indeed I have lead several discussions around standardizing security practices, where this is often raised as a detractor.

Again, I think it comes back to trust and would try to lean towards being more proactive.

(1)
bm
bashis mcw
Mar 30, 2018
In reply to Jonathan Lewit

distaste for security through obscurity

I also feel that encrypted firmware is sort of 'security through obscurity', and every time i encounter encrypted firmware i ask myself 'what are you trying to hide that is so important that you need to encrypt the firmware?" 

I don't see the point to encrypt firmware, unless it is within some point of protecting wrong firmware is uploaded to wrong device that potentially brick the device.

Again, I think it comes back to trust and would try to lean towards being more proactive.

Agree to certain point with you, but would like to know more what 'trust' and 'proactiveness' you mean?

U
Undisclosed
Apr 02, 2018
In reply to bashis mcw

I think encryption as a mechanism to protect proprietary information or customer data is perfectly reasonable.

Encryption to protect your lame web server configuration because you can't read the apache httpd2 man page is not helpful.

I also think a proper security review needs to include access to many details proably including the firmware. 

P.s. mystery meat browser plugins used to display camera video relate to this too..

U
Undisclosed #1
Mar 30, 2018

There should be a reward for the researchers time whether or not some take the initiative to provoke what seems to be safe or stumbling onto a curious mistake. Some of us cannot break habits and some of us cannot adopt new ones. Hopefully soon AI can look for anomalies in code and authentication standards and simply post the nature of how secure a location on a network performs. Think of the password strength bar, it changes colors the more complex your password, AI can do that and probably already does as it is obviously machines can farm us.

My general answer is, it depends on the mindset of the researcher to disclose what one has found and that could change on a day to day basis, emotion or caffeine level.

JH
John Honovich
Mar 30, 2018
IPVM
In reply to Undisclosed #1

There should be a reward for the researchers time

I think there should be but who should give it? The party most interested are the manufacturers, but as the results above show, integrators are rightfully concerned that if the manufacturer rewards the researcher, they will tie that to the vulnerability not being disclosed at all.

bm
bashis mcw
Mar 30, 2018
In reply to John Honovich

John, what you are talking about here is NDA (Non Disclosure Agreement), quite common to be offered together with "award and/or potential work offer" when unearthing vulnerabilities and shared with manufacture.

I'm 100% against to sign any NDA, as once signed you are not independent anymore.

 

Besides, for the employer I actually _do_ work for, no need to force me to sign NDA as that comes naturally with the work for me.

 

 

(2)
bm
bashis mcw
Mar 30, 2018
In reply to Undisclosed #1

My general answer is, it depends on the mindset of the researcher to disclose what one has found and that could change on a day to day basis, emotion or caffeine level.

It must be disclosed in my opinion, as it will help other researchers to assess the risk level, IDS/IPS can have updated signatures to catch these threats... etc.

Yes, it surely do come with additional risk to have devices compromised with noob / kiddies, or even sophisticated attackers, but I genuinely think Full Disclosure is the best option in general.

 

(3)
U
Undisclosed #1
Apr 02, 2018
In reply to bashis mcw

thank you bashis mcw. disclosure has many levels. a palace viewed from the outside may encompass  the mind, however the internal reattribute struggles of the infrastructure may resemble that initial reaction to which you perceive.

Structures change, however I have caught public RFPs, BIDs, SOWs reduced to a single creator. Most of my criticism belongs to obvious yet oblivious changes by the designer.

Again, thank you Bashis. I know you see the internal store bought designs that only grasp vague encounters of cheerios with fruit.

 

Avatar
Michael Glasser
Apr 01, 2018

For those interested, here is some information on this topic.  No endorsement implied.  

"ISO/IEC 29147:2014 gives guidelines for the disclosure of potential vulnerabilities in products and online services. It details the methods a vendor should use to address issues related to vulnerability disclosure. ISO/IEC 29147:2014"

Hackerone - General Motors