Responsible Disclosure and Months of Bugs
I had promised myself that I wasn’t going to post about any of the Month of Bugs projects and that everything that needed saying had been said by people far more eloquent than I. But then Michael over at MCW Research came at it from a different angle saying:
I whole-heartedly back these projects as long as their done professionally, i.e. as long as they respect responsible disclosure.
Well Michael, then you shouldn’t be supporting any of the three major projects to date. From the PHP MoB’s FAQ:
4. Does the PHP Security Response Team know about these issues?
They got prior notification for many but not all of the bugs. Therefore some of the bugs are already fixed in the latest PHP releases and some not. Even when PHP developers get prior notice they usually endanger their users by commiting fixes to the PHP CVS tree and then they do not release new security fixed versions for several months.
So not responsible disclosure there. What about the Month of Apple Bugs?
4. Are the issues being reported to the vendor before public disclosure?
Rarely, the point is releasing them without vendor notification. Although, sometimes we may decide to pass an issue through the appropriate people. The problem with so-called ‘responsible disclosure’ is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn’t pay off in the end. ‘Responsible disclosure’ exists when the vendor doesn’t deploy any harmful tactics against the source of the vulnerability reports, and requires confidence by all parties involved. At the moment, we don’t trust Apple on these matters due to the track of incidents and unpleasant situations surrounding their policy on product vulnerability handling.
So not only is MOAB not doing responsible disclosure, they are actively against it. Guess you’re not supporting them either.
Well what about the granddaddy of them all, the Month of Browser Bugs? This one is the trickiest because they don’t specifically call out their process anywhere obvious. However, several of the posts are tagged with dates when the issue was reported to Microsoft. Others say things like that they’ll be added to the OSVB later and contain no date when they were reported to the vendor. I can only assume that they were not.
So, which projects is it that you are supporting again?