Evolution of Vulnerability Disclosure Practices
Brief Timeline
●
1988: Morris worm
(
source
)
●
1989: Zardoz private mailing list (
source
)
●
1999: Common Vulnerability Enumeration (
source
)
●
2001: Code Red and Nimda
(
source
,
source
)
●
2002: Full Disclosure mailing list (
source
)
●
2002: iDefense and ZDI (2005) non-vendor bug bounties (
source
,
source
)
●
2007: Pwn2Own (
source
)
●
2008: Microsoft Vulnerability Research Program (
source
)
●
2008: Conficker
(
source
)
●
2009: No More Free Bugs (
source
)
●
2013: Bugcrowd founded (
source
)
●
2014: Google Project Zero (
source
)
Mailing Lists
●
Before disclosure policies, security vulnerabilities were shared among
researchers and systems administrators over mailing lists and other private
venues (
source
,
source
)
●
Disclosure motivations were broad and rewards were limited
●
Some researchers were looking for fame or notoriety, some researchers
were trying to help systems administrators patch their systems
●
Vulnerabilities were also published and discussed in zines like
Phrack
and
private venues like BBSes and mailing lists
●
Many private venues were compromised and leaked
Full Disclosure
Full Disclosure
(n): Full disclosure is the practice of publicly publishing software vulnerabilities and
exploit code as early as possible. The primary stated purpose of widely disseminating information
about vulnerabilities is so that potential victims are as knowledgeable as those who exploit them.
●
Many researchers were frustrated that their vulnerability reports to
developers, maintainers, or organizations were being ignored
●
Rather than do nothing, many researchers would publish vulnerability
details, exploit code, or patches to keep system administrators aware of
known vulnerabilities (
source
)
●
Individuals and groups wrote their own disclosure policies (
source
,
source
)
Anti-Full Disclosure
●
Many groups came out in opposition of full disclosure (
source
,
source
,
source
)
●
Publicly disclosed vulnerabilities and exploit code allowed script kiddies and
adversaries to exploit vulnerabilities previously unknown to them
●
Vulnerabilities that are publicly disclosed with exploit code are more likely to
be used in attacks (
source
)
●
Adversaries commonly use public exploit code and whitehat offensive tools
in their kits and campaigns (
source
,
source
)
Responsible Disclosure
●
As the security industry matured and more organizations started
responding to vulnerability reports, organizations and their users needed
time to resolve the vulnerability and distribute the patch to their users
●
As vendors became frustrated by full disclosure and other disclosure
policies, many began to speak out against full disclosure and for
researchers to be more collaborative (
source
,
source
)
●
Cisco tried to censor a BlackHat presentation that contained Cisco IOS
vulnerabilities (
source
)
Coordinated Disclosure
(n): Coordinated disclosure is when disclosure of a vulnerability or issue is
coordinated between the vendor and the researcher, typically allowing for the vulnerability or issue to be
patched or mended before publicly disclosing.
●
Many folks came out in opposition of responsible disclosure, saying calling
it responsible was loaded (
source
)
●
Microsoft backtracked and created the Coordinated Vulnerability Disclosure
standard (
link
)
●
This process gave the vulnerable organization and researchers reasonable
expectations for communication and remediation
Coordinated Disclosure
Disclosure Standards
●
Internet Engineering Task Force (IETF) Responsible Vulnerability Disclosure
Process (
link
)
●
Organization for Internet Safety (OIS) Guidelines for Security Vulnerability
Reporting and Response (
link
)
●
The CERT Guide to Coordinated Vulnerability Disclosure (
link
)
●
ISO/IEC 29147:2018 (
link
)
●
Zero Day Initiative (ZDI) Disclosure Policy (
link
)
●
Rapid 7 Vulnerability Disclosure Policy (
link
)
●
Trustwave SpiderLabs Vulnerability Disclosure Policy (
link
)
Bug Bounties
Bug Bounty
(n): A bug bounty program is a deal offered by many websites, organizations, and software
developers by which individuals can receive recognition and compensation for reporting bugs,
especially those pertaining to security exploits and vulnerabilities.
●
Bug bounties commoditize disclosure and reduce legal liability for security
researchers
●
This allows for researchers to be paid for their work and for vendors to get
direct access to researchers
●
Bugcrowd
,
HackerOne
,
Hack The Pentagon
,
Disclose.io Bug Bounty List
Vulnerabilities as Arms
●
It was illegal to export certain types of encryption until 1992-2000 (
source
)
●
Wassenaar Arrangement includes intrusion software since 2013 (
source
)
●
US intelligence develops and uses vulnerabilities (
source
,
source
)
●
Private companies sell vulnerabilities to state-backed adversaries (
source
)
●
Vulnerabilities have been used for espionage since at least 1996 (
source
)
●
There is a market for vulnerabilities and exploits (
source
,
source
,
source
,
source
)
Resources
●
Duo History of Vulnerability Disclosure
●
The Secrets We Keep…: Encryption and the Struggle for Software
Vulnerability Disclosure Reform
●
The Partial Disclosure Dilemma
Special thanks to
Dino
,
Haroon
, and
Ivan
Brief Timeline
●
1988: Morris worm
(
source
)
●
1989: Zardoz private mailing list (
source
)
●
1999: Common Vulnerability Enumeration (
source
)
●
2001: Code Red and Nimda
(
source
,
source
)
●
2002: Full Disclosure mailing list (
source
)
●
2002: iDefense and ZDI (2005) non-vendor bug bounties (
source
,
source
)
●
2007: Pwn2Own (
source
)
●
2008: Microsoft Vulnerability Research Program (
source
)
●
2008: Conficker
(
source
)
●
2009: No More Free Bugs (
source
)
●
2013: Bugcrowd founded (
source
)
●
2014: Google Project Zero (
source
)
The history of vulnerability disclosure, from the early days of mailing lists and zines to the emergence of Full Disclosure and the debates around anti-disclosure groups. The timeline covers key events like the Morris worm, Code Red, the founding of Bugcrowd, and more, illustrating the evolution of how security vulnerabilities were shared and handled. The shift from private information sharing to public disclosure has had both positive and negative impacts on cybersecurity practices.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
History of Vulnerability Disclosure Julian Cohen @HockeyInJune
Brief Timeline 1988: Morris worm (source) 1989: Zardoz private mailing list (source) 1999: Common Vulnerability Enumeration (source) 2001: Code Red and Nimda (source, source) 2002: Full Disclosure mailing list (source) 2002: iDefense and ZDI (2005) non-vendor bug bounties (source, source) 2007: Pwn2Own (source) 2008: Microsoft Vulnerability Research Program (source) 2008: Conficker (source) 2009: No More Free Bugs (source) 2013: Bugcrowd founded (source)
Mailing Lists Before disclosure policies, security vulnerabilities were shared among researchers and systems administrators over mailing lists and other private venues (source, source) Disclosure motivations were broad and rewards were limited Some researchers were looking for fame or notoriety, some researchers were trying to help systems administrators patch their systems Vulnerabilities were also published and discussed in zines like Phrackand private venues like BBSes and mailing lists Many private venues were compromised and leaked
Full Disclosure Full Disclosure (n): Full disclosure is the practice of publicly publishing software vulnerabilities and exploit code as early as possible. The primary stated purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who exploit them. Many researchers were frustrated that their vulnerability reports to developers, maintainers, or organizations were being ignored Rather than do nothing, many researchers would publish vulnerability details, exploit code, or patches to keep system administrators aware of known vulnerabilities (source) Individuals and groups wrote their own disclosure policies (source, source)
Anti-Full Disclosure Many groups came out in opposition of full disclosure (source, source, source) Publicly disclosed vulnerabilities and exploit code allowed script kiddies and adversaries to exploit vulnerabilities previously unknown to them Vulnerabilities that are publicly disclosed with exploit code are more likely to be used in attacks (source) Adversaries commonly use public exploit code and whitehat offensive tools in their kits and campaigns (source, source)
Responsible Disclosure As the security industry matured and more organizations started responding to vulnerability reports, organizations and their users needed time to resolve the vulnerability and distribute the patch to their users As vendors became frustrated by full disclosure and other disclosure policies, many began to speak out against full disclosure and for researchers to be more collaborative (source, source) Cisco tried to censor a BlackHat presentation that contained Cisco IOS vulnerabilities (source)
Coordinated Disclosure Coordinated Disclosure (n): Coordinated disclosure is when disclosure of a vulnerability or issue is coordinated between the vendor and the researcher, typically allowing for the vulnerability or issue to be patched or mended before publicly disclosing. Many folks came out in opposition of responsible disclosure, saying calling it responsible was loaded (source) Microsoft backtracked and created the Coordinated Vulnerability Disclosure standard (link) This process gave the vulnerable organization and researchers reasonable expectations for communication and remediation
Disclosure Standards Internet Engineering Task Force (IETF) Responsible Vulnerability Disclosure Process (link) Organization for Internet Safety (OIS) Guidelines for Security Vulnerability Reporting and Response (link) The CERT Guide to Coordinated Vulnerability Disclosure (link) ISO/IEC 29147:2018 (link) Zero Day Initiative (ZDI) Disclosure Policy (link) Rapid 7 Vulnerability Disclosure Policy (link) Trustwave SpiderLabs Vulnerability Disclosure Policy (link)
Bug Bounties Bug Bounty (n): A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. Bug bounties commoditize disclosure and reduce legal liability for security researchers This allows for researchers to be paid for their work and for vendors to get direct access to researchers Bugcrowd, HackerOne, Hack The Pentagon, Disclose.io Bug Bounty List
Vulnerabilities as Arms It was illegal to export certain types of encryption until 1992-2000 (source) Wassenaar Arrangement includes intrusion software since 2013 (source) US intelligence develops and uses vulnerabilities (source, source) Private companies sell vulnerabilities to state-backed adversaries (source) Vulnerabilities have been used for espionage since at least 1996 (source) There is a market for vulnerabilities and exploits (source, source, source, source)
Resources Duo History of Vulnerability Disclosure The Secrets We Keep : Encryption and the Struggle for Software Vulnerability Disclosure Reform The Partial Disclosure Dilemma Special thanks to Dino, Haroon, and Ivan
