Responsible vulnerability disclosure: raising the bar
The New Zealand Internet Task Force (NZITF) won an award at AusCert earlier this year, recognising the work it does to get our security community talking and working together. Chair Mike Seddon says New Zealand's information security has come a long way in a relatively small period of time, and we have an active and friendly security community.
But one area of security where New Zealand can do a lot better is security vulnerability disclosure. In the following piece, he explains that how we disclose and how we respond to people who tell us about security vulnerabilities needs to get a lot better if we want to be more secure.
Vulnerabilities are a fact of life. We make websites and ICT systems on frameworks coded by humans and they sit on servers built by humans. They are used by humans on computers with operating systems coded by humans, looking at them in browsers coded by humans - well you get the picture.
Mistakes happen, vulnerabilities exist in most systems. The key is finding them, understanding how serious they are and then fixing those that need fixing. That shouldn't be hard.
But at the moment it is. Hackers, security researchers and members of the "ad-hoc security community" find them all the time, they're just too afraid to tell anyone about it because they think they will be reported to New Zealand Police. And looking at recent history I can't blame them:
- Keith Ng was reported to Police over his 'MSD kiosk' story
- the Minister of Justice compared the person who highlighted a vulnerability in a Ministry of Justice system to a burglar
- AmmonRa, who hacked Christchurch buses metro card system, was also reported to Police.
Apart from these high profile examples that have created a chilling effect, the general approach by researchers is to keep their findings to themselves rather than risk the stresses of legal action.
Hackers and researchers not saying anything doesn't help anyone.
In response to this current situation, earlier this year the NZITF undertook to try and do something about this. We quickly became aware that researchers don't know how to get in touch with organisation security teams and they don't always explain themselves well. But equally, security managers, IT professionals and CIO's are not responding in a way that shows respect or gratitude to the researcher.
At the NZITF we want to help New Zealand organisations and New Zealand security researchers lift their game. We want to create an environment where security vulnerabilities are identified, disclosed and fixed in a short period of time in a coordinated and mature manner.
To try and help us all get better at identifying and fixing vulnerabilities we've decide to build some responsible disclosure guidelines setting out some simple and basic steps that both researchers and ICT system owners can take to make this easier. Responsible Disclosure is based on some very simple, and common sense principles:
- both parties should act in good faith to identify and fix security vulnerabilities
- researchers should be able to disclose vulnerabilities without fear of being reported to police
- organisations should be able to fix vulnerabilities before details of the vulnerability is made public (e.g. through a presentation at Kiwicon).
To make sure that these guidelines are as good as they can be we're currently seeking people's views on draft guidelines. Which is where you, the members of the Institute of IT Professionals come in.
As IT professionals we want your views. Are the guidelines too long or too short? Have we missed anything? Do we need to make anything clearer? Do you not like the term 'responsible disclosure' (it is also sometimes referred to as coordinated disclosure)?
We want to hear from you and we want to make sure that these guidelines meet the needs of our IT sector and are presented in a way that is easy to engage with.
Mike Seddon has been Telecom New Zealand's Operational Security Manager since 2007, and is one of the co-founders and Chair of the New Zealand Internet Task Force (NZITF), a not-for-profit society with a mission to improve the security posture of New Zealand.He'll also happily talk to anyone willing to listen about beekeeping.
You must be logged in in order to post comments. Log In