Shostack + Friends Blog Archive


How not to report vulnerabilities

This week Finjan announced that it has told Microsoft of 3, or 10, or maybe 19 issues with SP2.
Robert Lemos at CNET writes:

“We don’t want to argue with Microsoft about these things,” he said. “We found the 19 vulnerabilities, and we showed that you could take remote control of a computer.”

However, Microsoft’s Wilson took issue with Finjan’s move, contending that the software giant does not agree on how many of the flaws are real. Moreover, because the security company released the issues piecemeal, the software giant argues that it is not certain that Finjan has even named 10 vulnerabilities.

“They have been contacting us over time regarding various issues,” Wilson said. “But there is no definitive communications between Microsoft and Finjan about 10 specific issues.”

(I don’t agree that a vendor is always owed 30 days (as Lemos claims is standard.) Its a fine goal, but there are often issues that need faster response. The vulnerability clock ticks from the day the bad code is written. Software companies need to enhance their testing practices and software modularity so they can cut reliable patches faster.)

Back to the reporting side.

The Finjan press release includes no CVE names. It is now easy to reserve CVE CANdidates. Responsible researchers should do so. (There are lots of good, competing definitions of responsibility. None that I know of includes making your research harder to access and manage.)

Microsoft and Finjan can’t agree on how many issues Finjan has reported. This is slop on Finjan’s part. They may have found two routes to one issue, but there certainly shouldn’t be a 3-10-19 discrepancy. Finjan should clearly state how many issues they’ve found, roughly what they are, and when Microsoft was informed of them. Many people have issues with the detail in eEye advisories. But they are very clear on what they’ve reported.

One comment on "How not to report vulnerabilities"

  • Max Dornseif says:

    Maybe I just can’t read, but the page you link to doesn’t make it “easy to reserve CVE CANdidates.” There is a lot of stuff on that page but nothing that solves my question: how do I get a candidate number. Where is a list of CNAs?
    To me the whole seems to completely ignore the needs of researchers. Shouldn’t there be a big bad button “Researchers click here”?

Comments are closed.