Welcome to 2019, BTW disclosure is still borked

Straight up TL;DR here… I don’t give a flying toss which form of disclosure you choose to use when disclosing vulnerabilities, just do not preach to me regarding how I should go about the process. I am writing this short rant to answer the perpetual questions I receive around which disclosure discipline I personally subscribe to, and what led me to make the decision. Oh… bit of a language warning and the usual “opinions are my own and not the views of my employer”.

It is a relatively normal day for me. I get out of bed, grumble around as I get myself sorted for the day, and then wander down to the train station to make my way to work. The train arrives, the doors open, and I jump aboard joining the plethora of other humans performing the “I’m trying not to rub up against you” commute dance. The train rolls away from the station and I habitually open up twitter on my phone to catch up with whatever insane shitstorm the crazy world of infosec has left behind since I closed the feed the night before. Like normal, there are tweets about cats.. tweets about someone stoked about doing their first hacker presso…. tweets about the usual Trump bullshit… and tweets about animals hell bent on killing humanity; you know the ones… the “only in Australia” animals which will one day rule the world through fear. Just another standard day. Oh this looks interesting… some researcher has found a sexy vulnerability which can lead to remote code execution on a host. Interested, I open the tweet, start reading the content and then BAM it happens, just like it has happened countless times before… the ever present bombardment of “look at me; notice me” tweet replies from keyboard warriors around the world wanting to crucify the researcher for not disclosing the vulnerability in a format that the faceless respondent believes is the one and only way of undertaking disclosure.

Oh for fuck sake people! It’s 2019 and we are still debating the whether we should be undertaking full disclosure or coordinated disclosure?? Oh hang on!! Wait one minute!!.. I said coordinated disclosure!!!!! Crucify him! Crucify him! Surely you meant responsible disclosure?!? Sigh…

I have been in this industry for a very long time now; the peppered grey hair and white beard suggests perhaps too long. When I was still wet behind the ears I participated in the exact same debate and I blindly aligned myself with the Cult of Responsible Disclosure (CURD). Our CURD believed that the onus was solely on the researcher to do the right thing and report all vulnerabilities to the vendor in question at all times. Our memorandum of understanding was that the vendor shall be the whipmaster and unless expressively permitted by said vendor the public were under no circumstances to be made aware of any security issues which may exist. Now hindsight dictates that this fanatical ideal would obviously never benefit all parties involved in the disclosure, however at the time being in the choir of CURD seemed to be the correct alignment.

Woah woah woah … come on, be fair and upfront old man. Surely responsible disclosure did work from time to time? Ok, yes… you are correct. Prophesies from the CURD gospel did come to fruition from time to time. There are many examples of all parties working together responsibly, however the majority of disclosures ended with the vendor pointing fingers at researchers, citing that we were performing illegal activities, arguing that we were not setting reasonable time frames for public disclosure, debating whether a vulnerability was truly a bug or whether it should be classified as a feature, and so on.. and so on.. and so on. This old bingo card was the perfect bookmark to use with the CURD bible.

One of my favourite examples of CURD failure was when dealing with QNAP regarding a vulnerability which I identified in one of their NAS devices. Enter stage left the undertaking of standard CURD process. For those of you who do not know what this process is, the playbook generally goes a little something like this:

  • find vendor contact
  • request PGP key for secure communication
  • wait
  • wait
  • re-request PGP key for secure communication
  • ohai o/ from vendor, PGP key provided
  • hand over all research material and proof of concept code
  • wait
  • wait
  • send email to vendor and ask if they received information
  • wait
  • wait
  • ohai o/ from vendor, commence debate for weeks on end regarding reasonable time frame for disclosure
  • wait
  • wait
  • send email to vendor and ask for update on disclosure period
  • wait
  • wait
  • ohai o/ from vendor, finally agree on time frame
  • wait
  • wait
  • send email to vendor to advise D-day for public disclosure is one week away
  • wait
  • wait
  • ohai o/ from vendor, we’re not ready and need more time
  • …..
  • …..
  • …..
  • 120 days later after 30 day disclosure period vulnerability goes public
  • /researcher pats self on back and is so proud that all the free time and energy spent on the process was time well spent.
  • /researcher finds another bug and starts same process all over again

This was normal process which rarely came with too many variables. There was no need for us to whinge as we are disciples of CURD after all.

So, back to the QNAP story; initiate CURD process:

  • find vendor contact
  • request PGP key for secure communication
  • wait
  • ohai o/ from vendor. Huh? Only one wait bullet point and the PGP key was provided. Nice!! This is why I love CURD!!!!
  • hand over all research material and proof of concept code whilst smiling and feeling super positive. Go team CURD!!!!!
  • wait
  • wait (it’s okay.. this is normal)
  • send email to vendor and ask if they received information
  • ohai o/ from vendor! Huh? No wait bullet point?! CURD rocks! Vendor is looking into it and will respond when they give a fuck.
  • wait
  • ohai o/ from vendor. Early response from vendor again! CURD rocks! Go team CUR…. huh? what? The response was a positively laced go fuck yourself email?

“What did the email say?” I can hear you chanting…..

OH CURD!!!! WHY HAVE YOU FORSAKEN ME!!!! Did QNAP really say that they are not going to fix it? Did they really try to buy me out by giving me free kit so I could spend more free CURD disciple time helping them find more bugs? Did they really request that I don’t request a CVE-ID or disclose the vulnerability?

I was so confused, however to be honest I am really glad that this event, and many before it, happened to me. As a researcher I believe this may have been that groundhog day moment which helped me mature a little, helped me set my own personal disclosure policies, and to be honest, helped me to harden the fuck up a tad when it comes to vulnerability research. I was able to successfully excommunicate myself from CURD, able to rename “the old responsible disclosure testament” to “the old ‘coordinated disclosure’ testament”, and started to embrace “the new full disclosure testament”. Eww.. ok.. all this religious cult analogy shit is getting a bit weird, I’ll stop.

Not that it should really matter to you, as each and every one of us should be able to make up our own minds regarding the appropriate path to disclosure, but here is how I now personally deal with disclosure (and non-disclosure).

  • If a vulnerability could present a real risk to public safety, I undertake coordinated disclosure.
  • If a vulnerability could potentially hurt any of my family or friends, I undertake coordinated disclosure OR non-disclose.
  • For coordinated disclosure I am open to discuss reasonable time frames for remediation, however generally I will set hard time limits which are not variable.
  • If there is a case where my research can assist my employer, I will undertake coordinated disclosure with a vendor and allow reasonable marketing activities to be undertaken by my employer regarding the disclosure.
  • If the vendor has a bug bounty available, I will undertake coordinated disclosure, and do the awkward white guy make it rain money dance at the end of it.
  • If the zero-day is dead sexy and does not break any other personal rules, I will keep it for myself, not disclose it, and possibly use it in anger where appropriate.
  • If none of the above apply, I will disclose via a full disclosure mailing list, twitter, and/or my blog if I could be bothered to spend the energy smashing the keyboard.

I believe there is a place for coordinated disclosure AND full disclosure AND non-disclosure. Each piece of research I undertake will always come with it’s own form of appropriate disclosure. I follow these very loose rules, which, to be honest, can sometimes change from day to day.

So what’s the real moral to this story? To be blatantly honest, make up your own mind of what vulnerability disclosure or non-disclosure policy works for you personally. Don’t care about what other people think. Oh… and more importantly… If you find a vulnerability and it isn’t really a big deal, consider the vendor’s offer to give you expensive free shit in return for your silence. If I had my time again I would gladly hoard #alltheloot. ;)