On Friday, Google’s Project Zero Team issued a call to action for ethical hackers to hold vendors accountable for timely software fixes in the form of deadline ultimatums.
“We’d like to call on all researchers to adopt disclosure deadlines in some form,” the team wrote in a blog post Friday, “We’re excited by the early results that disclosure deadlines are delivering -- and with the help of the broader community, we can achieve even more.
The call came after the Project Zero team announced a 14-day grace period for its strict 90-day patch policy. Prior to the changes, if the team reported vulnerabilities within a given software, companies were given 90 days to fix them before weaknesses were publicly disclosed.
The strict deadlines have led to 85 percent of companies releasing patches prior to the 90 days. The unbending nature of the policy, however, has received heavy criticism from many, including big software competitors like Apple and Microsoft.
Though the Project Zero team has since relaxed its deadline requirements, allowing up to a 14-day grace period for patches near release, it remains determined in its mission to raise industry standards in vulnerability patching. It is in this spirit that the Project Zero team issued its call of action to the security research community.
But for independent security researchers, answering Google’s call can be difficult. Many a friendly hacker has war stories to share about their reports being met with opposition or indifference.
One New Zealand based security researcher, who spoke with iDigitalTimes anonymously, shares his troubles when reporting problems with a client’s website.
“I had discovered that client of my company had a weakness in their prepay top up page, which could directly impact users. I tried contacting the client about the problem for several months via Twitter, email and sales contacts within the company," the researcher said. “I eventually got a reply from their security team. They said they had independently tested the site and that it was secure – but it wasn’t. I then wrote a public blog post about the issue, showing how you could use a MITM attack to steal credit card numbers or redirect the top up payment to another phone.”
Shortly after outing the weakness, the researcher received internal pressure from his bosses to remove the post.
“The CTO of my company quickly contacted me, asking me to take the post down. Since the client continued to assert their site was secure, I refused to remove the post,” the researcher continued.. “ I was then formally disciplined for ‘bringing employer into disrepute with a client,’ resulting in suspension from my position for several days until legal could arrive to consult.”
This security researcher’s story is not unusual. Another security researcher, Tim, who also preferred to remain anonymous, reported receiving threats after trying to force accountability from the vendors he sought to protect.
“Around January of last year we submitted a vulnerability to a well-known vendor,” said Tim. “They acknowledged the vulnerability and promised a fix in 90 days. When nothing happened, we asked why they weren't fixing it and they told us it would require ‘infrastructural changes’ that could impact many customers. We told them we were going to publish the weakness. Their CEO called, threatening to take us out of business. The vulnerability still exists, but we are powerless to report it.”
While not all friendly hackers experience threats from vendors, still many bemoan the fact that their reports often remain soundless in a void of indifference.
“I've found dozens of XSS vulnerabilities on dozens of sites,” shared Dan Tentler, security researcher and co-founder of Carbon Dynamics. “When I do report them, most of the time I simply never hear back and nothing gets fixed. It feels like I'm just wasting my time trying to help since it appears that nobody cares.”
Despite these bleak conditions, not all companies meet such reports with opposition. Increasingly, more companies welcome the input of friendly hackers and occasionally compensate security researchers for their efforts.
This is why organizations like HackerOne have been developed. Hacker One is a platform for software companies that streamlines vulnerability reporting and even offers bounties for reported bugs. The platform builds a much-needed bridge between friendly hackers and software companies, allowing them to work together and expedite software fixes.
“Criminals don't try to report technical details on how they attacked an online service, but friendly hackers do and are, unfortunately, often met with indifference or worse yet, threats of legal prosecution,” said HackerOne’s Chief Policy Officer Katie Moussouris. “This is counter to defenders' goals, since it discourages people from trying to help because they often fear coming forward.”
Moussouris said programs such as HackerOne are important because, they allow “anyone” from the outside, not just specifically hired penetration testers, to safely report vulnerabilities to an organization.
“Having a clear way for hackers, customers, partners, or anyone who happens to find a security issue in an online service to report a potential security issue, is a sign of organizational maturity when it comes to security,” Moussouris said. “Offering bug bounties for that type of information would take these financial institutions to the next level in terms of demonstrating that they take security seriously.
“The biggest security investments of any organization should be proactive, trying to prevent security issues early in the development life cycle,” Moussouris continued.” But for the inevitable security issues that weren't caught via strong preventative processes, the practice of having a well-defined vulnerability coordination program is still absolutely necessary in the ongoing struggle to defend.”