Unethical vulnerability disclosures 'a disgrace to our field'

The question of when and how to disclose software vulnerabilities is a contentious one in cybersecurity, with the interests of researchers, vendors and users often in competition.

According to Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, common software vulnerability disclosure methods include the following:

• Full vendor disclosure. In a full vendor disclosure approach, external security researchers agree to disclose vulnerabilities only to relevant vendors to avoid unveiling information that malicious hackers could exploit. Critics of this strategy say it fails to hold software companies accountable for patching vulnerabilities in a timely fashion, leaving users at risk and stifling information sharing.
• Full public disclosure. At the other end of the spectrum, full public disclosures involve sharing vulnerability details publicly and in their entirety, whether software vendors have developed patches or not. Proponents argue this approach better serves users by pressuring vendors to respond quickly to high-risk bugs of which attackers may already be aware. Critics say it makes the public less safe, as vendors and malicious hackers race to beat each other to the punch.
  
  Some researchers have also reported resorting to full public disclosure out of frustration with lackluster vendor responses and flawed bug bounty programs.
• Coordinated disclosure. Coordinated disclosure falls somewhere between full vendor and full public disclosures. Also known as partial vendor disclosure or responsible disclosure, a coordinated disclosure approach entails some level of cooperation between researchers and vendors.
  
  For example, in a coordinated disclosure, an ethical hacker might wait 60 days to publicly announce a vulnerability, giving the affected vendor time to develop a patch. The researcher might also withhold proof-of-concept code to avoid giving malicious hackers information on how to exploit the bug.

"Education is key -- informing readers of the different points of view and then letting them make up their own minds," said Allen Harper, lead author of Gray Hat Hacking. "That said, I think it is important for all cyber professionals to recognize that there are lines, to draw those lines for themselves and to hold themselves accountable."

Here, Harper discusses the potentially devastating consequences of unethical vulnerability disclosures and why he believes cybersecurity needs more practitioners who use their powers for good.

Editor's note: This interview was lightly edited for length and clarity.

What does it mean, to you and your Gray Hat Hacking co-authors, to be an ethical hacker?

Allen Harper

Allen Harper: The point of Gray Hat Hacking: The Ethical Hacker's Handbook -- and the point of being a gray hat hacker -- is to use offensive techniques for defensive purposes. We want to help people, not hurt them, and we never want to do anything that's illegal or that crosses any lines. We believe in beating the bad guys to the punch by using their techniques to find issues and get them fixed before someone comes around and takes advantage of them. We wrote this book to support the good guys out there trying to make a difference.

We also work hard to ethically disclose vulnerabilities. There's nothing in the book that you wouldn't find elsewhere or anything in there that would hurt anyone. So, for example, say one of our authors were to find a vulnerability in a major software vendor's product. Out of our own sense of decency and ethics and morals, we would reach out to that company first and let them know.

I've personally given companies 60 to 90 days to work through issues before talking about a vulnerability publicly and before I would dare write about it in the book.

Learn how to get started with binary diffing in an excerpt from Chapter 18 of Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition by Allen Harper, Ryan Linn, Stephen Sims, Michael Baucom, Daniel Fernandez, Huáscar Tejeda and Moses Frost, published by McGraw Hill.

Click on the book cover to learn more.

When it comes to when and how a security researcher discloses a vulnerability, what's at stake?

Harper: I have personally seen companies destroyed by unethical vulnerability disclosures. Think about all of the lives affected. I'm talking thousands, or tens of thousands, of people who could be laid off because of one unethical hacker, and it's just unacceptable.

I have personally seen companies destroyed by unethical vulnerability disclosures.

Far too many people have been hurt by irresponsible cybersecurity professionals, and it's embarrassing. It's worse than that; it's a disgrace to our field. We need more people who are using their powers for good. That's our main message, and we always want to make sure it comes across in the book. It's why we do what we do; it's what makes us different from the bad guys. And it's what allows us to sleep easy at night -- knowing that we make the world just a little bit better with our presence instead of worse.

What advice would you give to an aspiring ethical hacker who wants to stay firmly on the side of the 'good guys?'

Harper: You need only listen to some of the talks and see some of the presentations at cybersecurity conferences today to find that not everyone is ethically disclosing vulnerabilities. For someone new to the field, it's particularly important to find mentors and to join an ethical security company. Do some research. Ask yourself: Has the company been involved in ethical or unethical vulnerability disclosures? If a hacker finds a vulnerability in the research lab, does the company race to a security conference and talk about it there first? Does it publish it blindly? Or does it work with the vendor and try to resolve the issue and then disclose it?

Don't get me wrong -- I'm not against getting credit. I think we deserve to be paid well for our efforts and to be recognized for them. But there's an ethical way to do it. Far too many companies are trying to get their 15 minutes of fame, and they're throwing other organizations under the bus.

So, look at a company's publications and the details will be there. It might describe how it responsibly worked with the vendor and maybe did a joint press release. Or the first thing you find might be that it talked or posted online about the problem and that the vendor struggled to fix it after the fact. I would put it out there that that is not ethical.