Chapter 20: Reporting Security Bugs

Whether you find bugs in someone else s product or someone outside of your company identifies a bug in your product, it is important to understand the different views around reporting security vulnerabilities. Appropriate actions to take both by the bug finder and the vendor once a bug is identified are heavily debated. Vendors usually want the issue to be kept quiet until it is fixed, whereas some bug finders believe in immediate public disclosure. This chapter discusses some of the controversy. In this chapter, you will learn how to responsibly report and disclose security issues you find in software made by another company and how to address security issues reported against the product you work on.

Reporting the Issue

After they identify a bug, bug finders commonly notify two parties: the vendor and the security community. Upon notification about the bug, it is hoped the vendor will quickly fix the issue and protect users by issuing a patch. When the security community is notified of a bug, people are better able to understand the flaw, which allows defensive measures to be put in place and also furthers security research. (As discussed in Chapter 1, General Approach to Security Testing, you can learn from other people s bugs.)

Tip  

It is important to report security bugs you identify. Someone else, who might not have good intentions and who might use the bug maliciously, possibly has or will find the same bug. When the bug is reported, the problem can be fixed to help reduce this possibility.

Although some people argue bugs should be disclosed publicly immediately after they are found, it is generally accepted that the vendor should be notified prior to disclosing the issue publicly. Proponents of immediate disclosure argue that the software is being used in the real world so users should be aware of the danger and might be able to take steps to mitigate their risk. They also argue that immediate public disclosure applies pressure, forcing the vendor to fix the bug as quickly as possible. Others feel public disclosure enables attackers who were previously unaware of the bug to exploit the flaw against target systems before a patch is available.

Responsible disclosure is a process in which bug finders report bugs to the vendor and wait until a patch is available before publicly disclosing the issue (see Figure 20-1). Many believe this allows the issue to be fixed by the vendor without alerting attackers while still providing the security community the information necessary to build additional mitigation strategies and understand the details to help find additional security bugs in other products.

image from book
Figure 20-1: Responsible disclosure process


Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net