Independent identification and verification of security vulnerabilities in commercial software is good for overall Internet security, but there is a right and a wrong way to report the existence of those vulnerabilities, US federal and industry experts said Thursday.
"I don't think we can rely on the software companies to find their own vulnerabilities," said Richard Clarke, chairman of the Bush administration's Critical Infrastructure Protection Board, which is managing an effort to beef up national cybersecurity.
"You have an obligation to help find vulnerabilities," Clarke told a crowd of more than 1,500 industry security experts at this week's annual Black Hat USA 2002 security conference here.
Clarke's comments come on the heels of a threat by Hewlett-Packard Co. to sue a team of researchers that publicized a vulnerability in the company's Tru64 Unix operating system. On July 19, a researcher from a loose-knit group known as SnoSoft posted a message about the vulnerability on the Bugtraq mailing list, along with a hyperlink to a program that enabled hackers to gain administrator-level priviliges to Tru64 systems.
"I think [HP's legal threat] hinders our ability to get the vulnerability fixed," said Richard George, technical director of the Security Evaluations Group at the National Security Agency. George added that some vendors have refused to sign nondisclosure agreements with the NSA to discuss vulnerabilities discovered in their software, because "if they don't know about it then they're not liable."
However, Clarke and other experts took aim at researchers and companies that have been accused of discovering security holes and then releasing exploit code before the software vendor has had a fair chance to produce a patch. "It's not the responsible thing to do to let the world know about it before a patch is available," said Clarke.
Some security companies have been accused of releasing exploit code for known vulnerabilities, particularly in Microsoft Corp. software, before the vendor could produce a workable patch and get it out to customers in a timely manner. "That's clearly crossing the line," said Marcus Sachs, a senior policy advisor to Clarke.
"If you're a [security] vendor, responsible reporting means not treating the vulnerability as some sort of fungible commodity. If you have exploit code, you have my attention," said Steve Culp, manager of Microsoft's Security Response Center, underscoring the desire of vendors to fix security problems.
But in a surprising twist, Clarke and other government experts told the gathering of hackers and security professionals that vulnerability research is not only good for Internet security, but essential to avoiding major problems in the future.
"It's actually healthy to try to find vulnerabilities," said Sachs. The goal is to not ignore vulnerabilities because that could create a series of "flash points" on the Internet, he said. Those flash points could later be used in larger attacks that have the potential to "spread like wild fires," said Sachs.
Clarke, Sachs and other experts implored researchers and security companies to make a good-faith effort to contact a vendor before a vulnerability is discussed publicly. "If the vendor is not responsive to your efforts, the next best place to go is the CERT," said Sachs, referring to the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. "If the vendor is still not responsive, then come through us."