Also Discuss vulnerability disclosure issues

Surging clouds

The other day, our team set up an external mailbox solicitation vulnerability. We will send a small gift to our friends who are willing to submit the vulnerability to us. Many members of our team posted this announcement on their own blogs, So we refreshed planet very spectacular and neatly.

Later, I saw a friend raise a question and thought it was too stingy to give a small gift. Here I will talk about the vulnerability disclosure issue.

Traditional software vulnerability disclosure process

For a long time, the security worker has reported the vulnerability to the vendor, the vendor replies, and after the patch, the security worker submits a public vulnerability description report to a security organization, such as FD or CVE.

If the provider ignores the vulnerability, the security worker has the right to publish the vulnerability description report.

This is the industry's default practice. No one has made public legislation to say that this must be done, but everyone is doing this.

In addition to the normal channels mentioned above, there are also some vulnerability transactions.

For example, some security companies are specialized in vulnerability acquisition, such as ZDI. After a security worker discovers a vulnerability, they can directly sell the vulnerability to such security companies, the security company should contact the vendor and decide when to disclose the vulnerability. When disclosing a vulnerability, you will attach the relevant information of the vulnerability discoverer to show respect for the results of your work. A vulnerability may be disclosed for a long period of time, or even more than one or two years. However, the vulnerability discoverers will be rewarded with security companies.

Finally, it is an illegal way. The vulnerability discoverers sell the discovered vulnerabilities to attackers for illegal profit-making activities in private, or the vulnerability discoverers directly engage in illegal profit-making activities. This is the highest reward, but the highest risk. Is a very immoral behavior.

Practices of traditional software vendors

Represented by Microsoft, Microsoft is the biggest victim, but now it is also the best traditional software vendor in the security community. Microsoft has a team dedicated to collecting and analyzing externally submitted vulnerabilities and judging them. If confirmed, the patch will be scheduled on the patch day of each month, or even packaged into the next sp version.

When the patch is released, it also discloses the description and details of the vulnerability, along with information about the vulnerability discoverer.

At the same time, Microsoft also extensively cooperates with third-party security companies to collect vulnerabilities from security companies for paid use. At the same time, before each month's patch day, Microsoft will disclose the details of vulnerabilities to third-party security companies, so that they can promptly update anti-virus software and security protection software against 0-day attacks.


Why do traditional software vendors need to disclose vulnerability information?

I am afraid many people do not understand this. Why do manufacturers need to disclose these negative things? These negative news are very damaging to the manufacturer's image. Therefore, many vendors block such information. However, vendors represented by Microsoft are doing the opposite, disclosing vulnerability information and encouraging everyone to explore its vulnerabilities. Is it because he slapped himself?

Actually not. For traditional software vendors, if they do not disclose the vulnerability information, they will eventually suffer the greatest harm. In the early stages of the software industry, when Internet technology has not yet emerged, if a software vulnerability occurs, the software vendor can only generate a patch or upgrade version for users to buy it back, or download the package and try the patch. This mode of transmission is extremely inefficient. Therefore, when a vulnerability occurs, many people do not have a patch.

With the development of Internet technology, Microsoft invented automatic update, which is a very effective measure. However, for the benefit of Microsoft, it is bound with Microsoft's license, therefore, many pirated users cannot perform automatic update. In addition, there is a time difference in automatic update. Microsoft cannot upgrade all windows in the world at the same time. Many users also get bored with the never-ending upgrade and stop the service. Due to various causes, even if automatic update exists, there are still many users without patches.

In addition to the above technical reasons, the biggest reason is that the user does not know the severity of the vulnerability. There are some lucky feelings: hackers will not attack me. So sometimes, even if the patch can be upgraded, it will not be patched, because patching is a relatively high risk for machines in some environments. It is possible that normal applications will not work after the patch, or restart is required, which is unacceptable for applications with high continuity requirements.

What will happen to users' computers without Patches? Think about the shock wave of that year. The shock wave of that year has had a profound impact on the internet security landscape. In this incident, microsoft realized that, without disclosing such security information to users, it would eventually be the most damaging to itself because the customer's computer was attacked, so that they no longer trust windows.

So Microsoft chose to disclose software vulnerabilities and stick to it until now.


Why not disclose the details of the vulnerability?

Today's vulnerability announcements only provide a vague description of the software version, environment, and risks of the vulnerability. Unlike the code-level details disclosure many years ago. Why? As these vulnerabilities are disclosed, hackers are also staring at these vulnerabilities. If the disclosure is too detailed, hackers can easily write attack code. Because many users are always in a state without Patches, they will become victims.

However, if the description is too vague, the user cannot determine whether there is a need to upgrade the vulnerability, and some will not upgrade, so the trade-off is a very difficult problem.


Are software vendors buying vulnerabilities?

Generally, software vendors do not purchase vulnerabilities from individuals, that is, they do not directly conduct vulnerability transactions with individuals. However, there are two forms of vulnerability trading software vendors will not reject: 1. sign a contract with a third-party security company to purchase vulnerabilities from a security company. 2. Hire a full-time or part-time employee to engage in vulnerability mining activities.

These two methods are due to a contract to protect the rights and interests of software vendors. Without contract protection, such transactions can easily become extortion. In the event of extortion, software vendors are likely to seek other legal weapons to protect themselves.

Even with contractual protection, software vendors are more inclined to purchase vulnerabilities from security companies. One is to ensure the quantity and quality, and the other is to put forward stricter requirements, third, it is better to trade credibility with the company. On the contrary, it is difficult for a software vendor to trust the credibility of an individual to trade with an individual, even if it is guaranteed by a contract. The two are not equal individuals from the very beginning.


How can software vendors thank vulnerability contributors?

As mentioned above, software vendors do not directly spend money to buy vulnerabilities from individuals, which is absolutely unacceptable for software vendors. But how can we thank those who report vulnerabilities to software vendors for free? In general, it is some other non-monetary rewards. For example, sending small gifts, or inviting customers to visit the company and attend some meetings held by the company. This is a common practice in the industry. There are also some special cases. For example, setting up an award to reward vulnerability victims may be monetary rewards. For example, google once set up a financial award to the native client Vulnerability creator. However, it is a special project and does not comply with the universal principles.

During vulnerability disclosure, vendors generally want to have more time to patch, so it is more appropriate to disclose vulnerabilities at a suitable time. For example, in the recent google chrome patch, the details of google will be published after most users have completed the patch.


Web vulnerability Disclosure

I have mentioned so much. In fact, the following are the purposes of this article.

Generally, Internet companies do not disclose any details about Website vulnerabilities.

This is because website vulnerabilities are essentially different from traditional software vulnerabilities. All website vulnerabilities are controllable for Internet companies. Traditional software vendors cannot upgrade all software at the same time, which is not a problem for Internet companies. Once an application is released, it is completely solved.

However, there are some exceptions to this principle.

First, web applications are not listed here. Such as commercial forums or other open-source web applications. Because this type of things is actually downloaded and installed by users, although the development language is web language, it should still be included in the ranks of traditional software.

Second, when the impact of the website vulnerability is very high and the website cannot eliminate all the impact after a patch, the reasons should be publicly explained. For example, if the database of the website is down, you must notify all users to change their passwords. Similarly, the leakage of a large amount of credit card information has a negative social impact and should be explained publicly.


At last, our company will follow our industry practices and win our friendship for our friends who really help us improve website security. However, we will not pay for it. we will express our gratitude in other forms and try our best to meet your needs.