> there's nothing "responsible" at all about independent researchers disclosing information to the public only on a vendor's schedule and terms.
Right, so the reason we disagree is that we have different understandings of what "responsible disclosure" means. From Wikipedia:
> In computer security or elsewhere, responsible disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed only after a period of time that allows for the vulnerability or issue to be patched or mended. This period distinguishes the model from full disclosure. [1]
And full disclosure:
> Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction.
Nowhere does it say that this is done "on a vendor's schedule and terms". On the contrary, unless there is some other agreement in place, the discoverer can publish any time they like; and so in reality control of the schedule is always at the discoverer's terms.
This is recognized in the XenProject's Security Response Process [2]:
> When a discoverer reports a problem to us and requests longer delays than we would consider ideal, we will honour such a request if reasonable. If a discoverer wants an accelerated disclosure compared to what we would prefer, we naturally do not have the power to insist that a discoverer waits for us to be ready and will honour the date specified by the discoverer.
Google Project Zero typically report a vulnerability and say, "We're telling everyone about this in 90 days, hope you're ready."
That is my expectation of "Responsible disclosure". If SEC Consult waited 18 months, it's either because 1) they had a contract with Fortinet of some sort, or 2) they were convinced that waiting 18 months would cause less harm to people than zero-daying everyone.
As I said at the top of the thread: it often makes sense to coordinate with vendors, and natural preferences often do align. But it sometimes doesn't, and, at times, it even makes sense to disclose without any coordination. Un-coordinated disclosure isn't intrinsically irresponsible, and so the term "responsible disclosure" is misleading. This isn't just my idea, and the term itself has become disfavored among vulnerability researchers.
> and so the term "responsible disclosure" is misleading.
I think this is a key point. As I said, I think "responsible" implies being responsible on both sides: neither simply publishing without sufficient time for a vendor to make a fix, nor waiting indefinitely while the vendor waffles around or tries to pretend the vulnerability doesn't exist. "Responsible disclosure" focuses (or ought to focus) on minimizing harm to users, whereas "coordinated disclosure" focuses on cooperating with the vendor. As such, "Responsible disclosure" in fact carries within itself the threat of going public if the vendor is dragging their feet, where "coordinated disclosure" doesn't.
I continue to think that we should use the term "responsible disclosure", and insist that it mean actually behaving responsibly to users.
I understand what you're trying to say. You're saying that conceptually there is such a thing as being "responsible" or "irresponsible" about disclosure, and I think that's true!
The problem is that (charitably) the term of art (or uncharitably, brand) "responsible disclosure" is attached to some very specific norms, including "not releasing vulnerabilities without a patch" and "giving vendors a commercially reasonable amount of time to create a patch" and "working closely with vendors to coordinate that time window" and "redacting or carefully reducing POC code", which are not themselves universal or even generally "responsible".
They're commercially responsible, to be sure! But it should not be an obligation of unpaid third party researchers to expend any effort whatsoever to be responsive to a vendor's commercial concerns. It's a nice thing to do, and some people are just preternaturally nice to vendors, and that's usually fine, but there's nothing deontologically "responsible" about that.
> You're saying that conceptually there is such a thing as being "responsible" or "irresponsible" about disclosure, and I think that's true!
I'm saying more than that.
We both seem to agree that there is an ongoing war about disclosure; and that large vendors (through a mix of good, neutral, and bad intentions) are warring to make disclosure more convenient and less painful for themselves, to the detriment of their users (and ultimately themselves as well); and that the use of words is one arena in which that warfare exhibits itself.
But we've come to opposite conclusions about the best way to fight the war in this specific arena.
You've observed that companies are trying to define "responsible" to mean "commercially responsible". But rather than recognizing this attempt at redefinition as an attack, and insisting on using the word "responsible" to actually mean responsible towards users, you seem to think that the use of the word itself is an attack; and want to instead try to insist on using a different term, "coordinated disclosure".
I think that's a bad strategy. You're advocating that we surrender the word "responsible" entirely to large vendors. Large vendors are not going to stop using the word "responsible"; if right-minded security researchers simply abandon the word, then the broader public are going to be entirely at the mercy of vendors to decide what's "responsible". Furthermore, as I've argued, using "coordinated" shifts all focus to the vendor, removing any focus from the user at all.
In the war over disclosure, your strategy seems to me to hand a massive win to big vendors.
I think a much better strategy is to counter-attack. The word "responsible" is too valuable a term to just give up. We must continue to insist that "responsible" means "responsible to users"; and we must continue to insist that there are times when pressuring and even embarrassing large companies is the most responsible thing to do.
There's nothing I can say to this that I haven't already said. "responsible disclosure" is a term of art. It means something you don't mean. You can redefine it for yourself, but people reading you will take its actual meaning, not yours.
> You should dig in to the history of “responsible disclosure”.
That doesn't give a history of responsible disclosure, but it does correspond with my understanding of the situation.
He mentions "RFPolicy" invented by security researcher Rain Forest Puppy [1]. This policy includes the following stipulation right at the top:
> You basically have 5 days (read below for the definitions and semantics of what is considered a 'day') to return contact to the individual, and must keep in contact with them at least every 5 days. Failure to do so will discourage them from working with you and encourage them to publicly disclose the security problem.
This is completely the opposite of "the vendor is entirely in control of the process". A few paragraphs after this reference, the author of your article says:
> This entire charade [a push by Microsoft about disclosure] is nothing more than an elaborate PR scam. The five security companies that are involved (@Stake, BindView, ISS, Foundstone, Guardent), were they not following these general rules along the lines of responsible disclosure?
This paragraph implies that the author of the article identifes RFPolicy -- a policy created by security researchers themselves -- with "responsible disclosure", and is blaming Microsoft for trying to hijack the term.
But instead of insisting that "responsible disclosure" means something like RFPolicy, you're insisting that actually "responsible disclosure" means something like what Microsoft wants it to mean. Rather than fighting to maintain control a term that security researchers invented, you're advocating surrendering the term to Microsoft and other organizations like them.
There is a lot of history here that you may not be aware of. Security researchers didn’t invent it, that’s kind of the point. Microsoft did, to further their own interests, in a way that was very adversarial to security researchers, and one of their vendors at the time (@Stake) tried to formalize it in an RFC that went nowhere. And the primary author of that RFC, who was an @stake employee (Wysopal), has also publicly disavowed it.
This isn’t surrendering the term, not only because Microsoft largely invented it, but even they disavowed it 10 years ago. Not even Microsoft wants that term anymore!
You cannot “insist” what it means. You’re trying to redefine it from it’s original framework to fit your personal definition of “responsible”, which nobody agrees on, and which is one of the many reasons that it’s a dumb term.
It’s like saying you believe in buying cars that are responsible colors. If you want to communicate efficiently and without being inflammatory and presumptuous in a community where reasonable minds have long disagreed, you should just say “red”. Everyone knows what that means.
Google Project Zero do not use the term “responsible disclosure” to describe this. They quite openly reject the term and do not follow “responsible disclosure”, which would prohibit then from publishing exploit details even after the fix is out, and would prevent them from disclosing that an issue even exists prior to a fix being available. The term was specifically a social engineering attempt to brand exactly what GPZ is doing as irresponsible (even though they didn’t exist at the time).
Right, so the reason we disagree is that we have different understandings of what "responsible disclosure" means. From Wikipedia:
> In computer security or elsewhere, responsible disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed only after a period of time that allows for the vulnerability or issue to be patched or mended. This period distinguishes the model from full disclosure. [1]
And full disclosure:
> Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction.
Nowhere does it say that this is done "on a vendor's schedule and terms". On the contrary, unless there is some other agreement in place, the discoverer can publish any time they like; and so in reality control of the schedule is always at the discoverer's terms.
This is recognized in the XenProject's Security Response Process [2]:
> When a discoverer reports a problem to us and requests longer delays than we would consider ideal, we will honour such a request if reasonable. If a discoverer wants an accelerated disclosure compared to what we would prefer, we naturally do not have the power to insist that a discoverer waits for us to be ready and will honour the date specified by the discoverer.
Google Project Zero typically report a vulnerability and say, "We're telling everyone about this in 90 days, hope you're ready."
That is my expectation of "Responsible disclosure". If SEC Consult waited 18 months, it's either because 1) they had a contract with Fortinet of some sort, or 2) they were convinced that waiting 18 months would cause less harm to people than zero-daying everyone.
[1] https://en.wikipedia.org/wiki/Responsible_disclosure
[2] https://xenproject.org/developers/security-policy/