Vulnerability Disclosure – let’s be honest about motives shall we?

In the last ten years, we’ve seen endless debate about the various merits and problems with vulnerability disclosure. Predictably, the discussion has revolved around the technical details of the extremes: full disclosure versus partial disclosure and all the shades of gray in between. But one important part of the debate has been quietly ignored, amid the heat and smoke – the question of motives. Motives are crucial to our understanding because sometimes knowing why someone does something is a great way of cutting through all the smoke and fog of debate and details. So, let’s talk about motivations. What can we learn?

Why would someone want to search for vulnerabilities in someone else’s software and publicize them? Well, there are a couple of possibilities:

I have trouble believing sheer boredom is what motivates people to spend hours poring over source code, or attempting to reverse-engineer applications. What’s more thought-provoking, a lot of "security researchers" do it as part of their jobs. No, I can’t accept boredom as the motive for vulnerability research. I’ve done code reviews – code reviews are mind-wrenchingly boring. Nobody tries to cure boredom by doing code reviews! No sensible employer pays employees just to do code reviews of other people’s code, either. Remember, during the late 90’s, "grey hat hackers" like @Stake’s analysts commanded tens of thousands of dollars to do a security assessment of a piece of software on behalf of a vendor. So, on one hand we’ve got people willing to pay big bucks for a service and, on the other hand, we’ve got folks willing to perform that same service for free. That doesn’t add up, does it? Clearly, there’s another purpose at play.

What about altruism? Maybe these guys really are doing it just for the sheer joy of helping people out! Maybe they’re doing it to hone their skills and to make the cyber-world a better place. Maybe these guys are candidates for cyber-sainthood. There’s just a small problem with that logic: first off, a lot of their "subjects" wish their "benefactors" wouldn’t do that they’re doing. Secondly, they’re not asking whether their "subjects" want any help. Imagine if you were sitting down to eat a nice big carbohydrate-laden meal when some self-appointed "diet researcher"– without asking or even saying "good morning" – ran up and stole your french fries in order to "help" you improve your diet! There are social norms regarding how help is offered or solicited and it’s not considered polite to help someone without a good understanding of their situation unless it’s obviously an emergency and there’s no time to ask. Even so, society is replete with stories of good samaritans who tackled undercover cops and foiled police operations – we consider people who do things like that to be fools, not heroes. In other words, I don't think that these self-appointed guardians of good code are welcomed by all of their "beneficiaries" - which makes their behavior suspicious, indeed.

Another instructive point is to look at how society treats heroes and good samaritans. Sometimes, a good samaritan who helps out a stranger finds the media spotlight upon them. Society "rewards" these people with their 15 minutes of fame and they get on with their lives. What strikes me is that, often, when you see the kid who rescued a drowning toddler on TV, they’re shy, or embarrassed at the attention, or they’ll say something self-effacing about how it was the right thing to do at the time and they’re just glad everything worked out. Real heroes, it seems, don’t hog the limelight. Real heroes, it seems, don’t issue press releases or trumpet their achievements on the Herotraq mailing list. Unlike the "security researchers." Altruism accepts that sometimes the adulation of society puts heroes in the spotlight, but they’re just as happy to walk away from the scene of their good deeds with the warm glow of knowing they helped someone out. In fact, if someone ran around actively looking for people to help and helping them whether they asked for it or not, we’d probably get them some psychotherapy or give them a swift kick in the pants. Somehow, "security researchers" don’t seem to fit the profile of pure do-gooders. They’re not in it for the quiet warm feeling of helping out.

In fact, "security researchers" that look for vulnerabilities are often quite jealous of getting "credit" for what they discover. Back when I was CTO at Network Flight Recorder, I periodically got contacted by "security researchers" who had found new holes in software and who wanted to notify me – and make sure they got proper credit for their discovery. I remember several times it was hard to get a real idea what, if anything, they had found, because they were afraid someone would steal their credit. At this point, a light begins to dawn: The motives of security researchers are based on getting credit and attention for their discoveries. Well, why would someone do that?

The "security researchers" are doing it to market themselves.

Well, we all really knew that all along, didn’t we? But that casts the situation in a completely different light. "Security researchers" have managed to direct the debate towards the bits and bytes of how releases are timed, and full versus partial disclosure, when the real issue – that their motives are entirely self-serving – is swept under the carpet.

Back when I was in the thick of the full disclosure debate, I used to have "grey hats" come up to me and say, "It’s easy for you to say disclosure is a problem, you’ve already got a great reputation." Thus, the real agenda comes out. Never mind the results of the disclosure, never mind whether it hurts customers, or helps the industry – the people who are doing disclosure are doing it as a cheap substitute for marketing. If you strip away the thin veneer of self-justification, I think it’s a legitimate question to ask whether disclosure for marketing is a good idea. There are plenty of marketing venues that are less controversial and may actually be cheaper. When you look at the companies that use disclosure as their marketing vehicle, you can see that the timing of the disclosures is also suspicious. Is it timed based on discovery, or are the disclosures timed on an interval calculated to achieve the best marketing impact? I think it’s all highly suspicious when I see a marketing-by-disclosure company releasing a new vulnerability about once a month – and making sure that they get quoted in all the newspapers they can as a result. The problem with marketing-by-disclosure is that it rewards disclosing the most damaging possible attacks. The all-time champions of marketing-by-disclosure are a group of bottom-feeders known as eEye security. Their "chief hacking officer" is a masterful media whore, who has gotten a tremendous amount of free press by doling out vulnerabilities that have resulted in billions of dollars of damage to customer networks, while smoothly working both sides of whatever controversy he can generate. Anything for media attention! Screw the customer! Add insult to injury by taking their money!

Disclosure's also a big win for the media, so they're happy to play the game. To tell the truth, I can't tell if the media buy the disclosure argument because:

After all, when have you seen the computer "technical" media write an article about a piece of software that has largely worked, been stable, secure, and reliable? From a standpoint of getting media coverage, writing a mediocre insecure product will get you more attention (thanks to guys like Eeye and NGS) than anything else you could do. I know, I know, complaining about negativity and bias in the media has gone out of fashion - but I can't help it.

We’re complicit in this ridiculous game as long as we allow its players to profit by it. Again, never mind whether disclosure is good or not – we’re encouraging these attention hungry bottom-feeding marketers to manipulate an entire industry for their own ends, and we’re rewarding them with our dollars. What can we do about it? Turn them off. Ignore them. Don't give them a microphone. Don't give them your money. I don’t buy or recommend products from companies that use disclosure as a marketing tool, and neither should you.