RE: Vulnerability Disclosure Formats (was "Re: Funny article")

["Russ" <Russ.Cooper () rc on ca>]

If it was recommended to the public that they report their medical issues along some "guidelines", such as those 
suggested by Steve, people would be dropping like flies.

First, let me give a deep bow to Steve's ongoing and significant efforts in the vulnerability reporting arena. I don't 
think anyone thinks about this issue as much as he does.

That said, I think Steve spent too much time in school...;-]

He acknowledges;

"One challenge is that there are many researchers who are first-timers, so a common advisory format probably wouldn't 
find 100% adoption.  But it sure could help a lot."

and I agree, adoption of some format would help a lot. Adoption of a single language would help more, IMO, and so too 
would adoption of the concept that a vulnerability disclosure isn't anything more than empirical research, but we don't 
live in such a perfect world.

Instead we live with all sorts of Toms, Dicks, and Harriett's discovering all sorts of things, some actual 
vulnerabilities, some fodder for others to turn into vulnerabilities, and very little of it done for anything more than 
the pure exhilaration of discovery itself.

Given how far anyone who releases vulnerable code is from being able to prevent malicious attacks against their code 
from happening, the fact that anyone is willing to devote their own time and effort, for the pure fun of it, to helping 
them fix that ..."stuff"...has to be seen as pure gravy by those developers. Instead, unfortunately, its often not.

Appreciate that I think anyone who releases malicious code, be it in the form of Proof of Concept or actual worm, 
should serve time in a Russian prison. There's simply no excuse. eEye has done a great job of providing more than 
enough information about exploits over the past 2 years without, IMO, writing the basis for malicious code. IMO, they 
consciously choose to change the way they write their advisories. I've my own opinion about how disclosures turn into 
exploits which may be at odds with others, granted.

But to suggest that we need to place any more burden on discoverers, prior to us being able to acknowledge their will 
to not use their discoveries maliciously, is, IMO, insane.

There are very few discoveries that cannot be used for profit of the discoverer. To suggest they should consider 
posting it this way, or that way, only distances them further from disclosing. I'd rather get it raw in broken English, 
than to  suggest they resubmit it in some "better" format. I'd also rather get it from them when their prepared to 
release it, rather than have them disclose it to who knows who to get it formatted better.

What Steve refers to, IMO, is the consumer of such reports (most of you), not the initial recipients (e.g. the lists 
who in turn forward it to you.)

Remember, Steve's goal is to make it simpler to use public reports to assess vulnerability. To minimize conflict 
between sellers of such information when an entity attempts to compare reports. This is all well and good for 
corporations who want to minimize the cost of assessing risk, it has nothing to do with discoverers who are reporting 
to the public for free (albeit they may have a motive.)

Despite the number of discoverers who regularly post to our lists for free, we, as receivers of such information, still 
need to make that process easier for them, and, more valuable to them. If we hope to keep such reports coming to the 
public realm free of charge, as opposed to dealing with 0-day worms that demonstrate newly discovered vulnerabilities, 
we must embrace the discoverers more than we already do. Asking them to do anything more than they already do, IMO, is 
counter-productive to that goal.

Thor Larholm proposed the idea of a "Union" to me. While I don't like the concept of union's in this day and age, our 
field is one that could benefit from such an idea wrt discoverers. They are far too often bashed (and I have been 
guilty of this), and often not recognized for what they do.

Granted, there are far too many of them who use their discoveries to get their 15 minutes of fame, a platform from 
which to castigate everyone who might consume their information. Shame, good researchers show themselves to be 
otherwise motivated sometimes. They don't do this due to improperly formatted advisories, we see it in their demands 
for letters for their resume suggesting they are great, or their inability to do anything other than recommend a 
feature be disabled.

OIS may be a great idea for how companies should ask for reports, and Steve's template thoughts make for a great basic 
format, but neither consider what happens when someone actually discovers something. The first thing they typically 
need is immediate confirmation. "Can you verify this?", "Does it work that way on all versions?". The discoverer, prior 
to actually submitting the discovery for public consumption wants to know the real scope of what they've discovered. 
They may be sitting there with their jaw dropped because their initial thinking is the world's going to come to an end 
due to what they've found.

On my list, first time or inexperienced discoverers frequently, more often than not, over dramatized the effects of 
their discovery. I'm not saying they are inexperienced, or unskilled, but it does seem that the effect of the discovery 
seems to make them over enthusiastic, or overly paranoid. They can envision a way for the exploit to be a killer, they 
haven't stopped to think about how likely that is to happen.

Sending it out for small peer review; which whether anyone other than me acknowledges it or not, happens when you send 
something to one of the security mailing lists...is their way of finding out whether they're full of it or not.

At this point in the process, I, as a receiver, don't care how its formatted. Of course the requisite information needs 
to be present (what OS, what product, how), but as long as the report is written credibly (i.e. it explains what they 
did and the effect they perceived it to have), its my job to figure the rest out. If not me, then who? The rest of the 
world should be sent in a tizzy because some schmoe claims something??

I don't perceive the task of Vendor X to be any different. If they receive a credible report, its their job to figure 
out if its true or not. That they might receive 10,000 reports a day, making the task of determining credible 
difficult, isn't the problem of the reporter. Imagine if 911 didn't do anything until you provided them with the 
suggested details Steve offers?

We aren't, IMO, anywhere near the time when we can suggest such things to discoverers. Before we do we have to announce 
a way for them to be acknowledged, compensated, and embraced. We have to differentiate them from the "hackers", 
"crackers", skript kiddiez", and other denigrating terms, more than we try already.

Microsoft announced a $5mm war chest to catch malcode writers, and I think that's a good idea. I would have liked, 
however, for them to announce a $5mm war chest to go to discoverers, like Netscape's old "Bug Bounty". Maybe they feel 
that would have been too quickly spent, but I know far too many discoverers who are still working on Windows 98 because 
the cost of researching on more modern platforms is prohibitive.

Anyway, bottom line, be thankful we get anything, in any format.

Cheers,
Russ - NTBugtraq Editor