Tuesday, January 05, 2016

Mythical vuln-disclosure program

In the olden days (the 1990s), we security people would try to do the "right thing" and notify companies about the security vulnerabilities we'd find. It was possible then, because the "Internet" team was a small part of the company. Contacting the "webmaster" was a straightforward process -- indeed their email address was often on the webpage. Whatever the problem, you could quickly get routed to the person responsible for fixing it.

Today, the Internet suffuses everything companies do. There is no one person responsible. If companies haven't setup a disclosure policy (such as an email account "security@example.com"), they simply cannot handle disclosure. Assuming you could tell everyone in the company about the problem, from the CEO on down to the sysadmins and developers, you still won't have found the right person to tell -- because such a person doesn't exist. There's simply no process for dealing with the issue.

I point this out in response to the following Twitter discussion:

Josh's assertion is wrong. There is nobody at American Airlines that can handle a bug report. At some point, a product management team is going to have to prioritize fixing this bug compared to other features they want to implement, and they'll likely convince themselves that this bug isn't important, and it won't get fixed.

Josh is imagining that somebody at American Airlines has both the competence and authority to handle such a bug. But if that were true, then they'd already have a vuln-disclosure program, and emails sent to "security@aa.com" would get answered. In other words, Josh is asserting that they do handle vulnerability reports -- but using a super-secret process that nobody knows about.

Large companies all deal with risk the same way. It doesn't matter if the risk is hackers, or an implosion in the housing market, or the explosion of oil refineries. The first look at "best practices", what their peers/competitors in the industry do. The second is they'll respond to bad things that happen to them.

In other words, the only way American Airlines will get a vuln-disclosure/bug-bounty program is (1) if many other airlines create such programs, or (2) they get bitten hard by a vulnerability.

So far, United Airlines is the leader, having created a bug-bounty program that has reward security researchers millions of frequent-flyer miles in rewards. Other airlines will eventually catch up. In the meanwhile, the only way for American Airlines to respond to a vuln is for the bug to be reported on a full-dislosure mailing list. This will either cause people in the company to panic, and therefore fix the bug before it bites them. Or, hackers will exploit the bug, and cause millions of dollars of damage. Either way, it's how American Airlines decided to do business, how they chose to respond to risk.

...and I'm not saying this because I want to be mean to the company. I don't even think it's a wrong way of doing business. Sure, it sounds bad relative to the risks I understand (hacking), but it's the only way I know how to handle other risks. Waiting to be bitten by a risk is often a better strategy than trying to anticipate all possible unknown risks.


Anonymous said...

The various CERTs can also be used as a go in between. Example:


ShawnM said...

I agree! Today the World Wide Web is not just a network, it is like a wild world full of dangerous places and creatures (I mean hackers) that can attack you when you don’t expect it. That is why it is crucial to have good IT team to fight with attackers that are about to destroy your online data room