Today, the Internet suffuses everything companies do. There is no one person responsible. If companies haven't setup a disclosure policy (such as an email account "firstname.lastname@example.org"), they simply cannot handle disclosure. Assuming you could tell everyone in the company about the problem, from the CEO on down to the sysadmins and developers, you still won't have found the right person to tell -- because such a person doesn't exist. There's simply no process for dealing with the issue.
I point this out in response to the following Twitter discussion:
@KimZetter true. hey @tactical_intel I can connect you… CC: @ErrataRob— ❄∵ Joshua Corman ∵❄ (@joshcorman) January 5, 2016
Josh's assertion is wrong. There is nobody at American Airlines that can handle a bug report. At some point, a product management team is going to have to prioritize fixing this bug compared to other features they want to implement, and they'll likely convince themselves that this bug isn't important, and it won't get fixed.
Josh is imagining that somebody at American Airlines has both the competence and authority to handle such a bug. But if that were true, then they'd already have a vuln-disclosure program, and emails sent to "email@example.com" would get answered. In other words, Josh is asserting that they do handle vulnerability reports -- but using a super-secret process that nobody knows about.
Large companies all deal with risk the same way. It doesn't matter if the risk is hackers, or an implosion in the housing market, or the explosion of oil refineries. The first look at "best practices", what their peers/competitors in the industry do. The second is they'll respond to bad things that happen to them.
In other words, the only way American Airlines will get a vuln-disclosure/bug-bounty program is (1) if many other airlines create such programs, or (2) they get bitten hard by a vulnerability.
So far, United Airlines is the leader, having created a bug-bounty program that has reward security researchers millions of frequent-flyer miles in rewards. Other airlines will eventually catch up. In the meanwhile, the only way for American Airlines to respond to a vuln is for the bug to be reported on a full-dislosure mailing list. This will either cause people in the company to panic, and therefore fix the bug before it bites them. Or, hackers will exploit the bug, and cause millions of dollars of damage. Either way, it's how American Airlines decided to do business, how they chose to respond to risk.
...and I'm not saying this because I want to be mean to the company. I don't even think it's a wrong way of doing business. Sure, it sounds bad relative to the risks I understand (hacking), but it's the only way I know how to handle other risks. Waiting to be bitten by a risk is often a better strategy than trying to anticipate all possible unknown risks.
The various CERTs can also be used as a go in between. Example:
I agree! Today the World Wide Web is not just a network, it is like a wild world full of dangerous places and creatures (I mean hackers) that can attack you when you don’t expect it. That is why it is crucial to have good IT team to fight with attackers that are about to destroy your online data room
Post a Comment